[20278] in Kerberos_V5_Development
Re: Issues with multiple pkinit KDC certauth plugins
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon May 17 12:37:14 2021
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>, <krbdev@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <bda13157-88e8-6a5c-1279-fe7ee26de016@mit.edu>
Date: Mon, 17 May 2021 12:29:04 -0400
MIME-Version: 1.0
In-Reply-To: <202105100243.14A2hZfN021846@hedwig.cmf.nrl.navy.mil>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 5/9/21 10:47 PM, Ken Hornstein wrote:
> It occurs to me that the simplest solution here would be to
> add an additional return code that meant "pass + add hwauth to
> ticket". Like it could be called KRB5_CERTAUTH_HWAUTH_PASS. Or
> KRB5_CERTAUTH_HWAUTH_NO_HANDLE, or something else.
In hindsight, adding a new method would probably have been cleaner, so
that we could ask "does this cert indicate the use of hardware"
independently of "does this cert authorize this principal".
However, since we're halfway in on shoehorning both questions into one
method, I guess it's no less clean at this point to add another entry in
the answer matrix. So, this is fine.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
