[20030] in Kerberos_V5_Development
Re: Extending certauth plugin to set ticket flags?
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Fri Feb 21 13:11:52 2020
Message-ID: <202002211811.01LIBLOd009614@hedwig.cmf.nrl.navy.mil>
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
To: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <8d4b0b38-8b3b-2107-b793-af3f713f79c3@mit.edu>
MIME-Version: 1.0
Date: Fri, 21 Feb 2020 13:11:21 -0500
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
>>> 2. Designate a magic authentication indicator value (probably "hwauth").
>>> In the core KDC code near the end of AS-REQ processing, check if this
>>> indicator is asserted and set the hw-authent bit.
>>
>> I'd be happy with this.
>
>Unfortunately, this approach turns out to be difficult to implement
>properly. (Authdata handling happens late in the AS-REQ process, and
>can affect the set of indicators. Checking the server principal's
>hardware authentication requirement against the ticket flags happens
>earlier, and if that check fails, we have to produce a hint list, which
>is an async process, so it's not easy to move the check later.)
Well, I will defer to your knowledge of the KDC AS-REQ processing path,
and "perfect is the enemy of the good" and all that. If you are fine
with a designated authorize_cert return code, then so am I.
--Ken
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
