[20034] in Kerberos_V5_Development
Re: Extending certauth plugin to set ticket flags?
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Mon Feb 24 15:07:27 2020
Message-ID: <202002242007.01OK6ufc012752@hedwig.cmf.nrl.navy.mil>
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
To: krbdev@mit.edu
In-Reply-To: <9298cf01-7ac5-6748-9ec7-763ecccd2580@mit.edu>
MIME-Version: 1.0
Date: Mon, 24 Feb 2020 15:06:56 -0500
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
>That would work, but I'd rather not add a config option for this
>feature. Ever config option adds to the oversized bin of config options
>that every administrator has to sort through in the documentation.
>(Having undocumented config options isn't great either.)
I understand where you're coming from; I am really flexible here.
If you are happy with PKINIT always setting PA_HARDWARE then so am I.
I understand this is a weird mix of old and new code and the older-style
authentication indicators like TKT_FLG_HW_AUTH; my goal here is to
get our community on a long-term sustainable path in terms of code
maintenance. Getting from here to there isn't always easy.
>I did notice that when the client principal has +requires_hwauth and
>PKINIT doesn't set the hw-authent flag, the result is a preauth loop
>(terminating with "Looping detected inside krb5_get_in_tkt"). It's
>unclear what piece of code should change to prevent this, if any.
Ah, yes, I know that error well :-/
--Ken
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
