[Freeipa-devel] [PROPOSAL] Kerberos flags
Nathaniel McCallum
npmccallum at redhat.com
Fri Mar 8 18:17:11 UTC 2013
On Fri, 2013-03-08 at 18:53 +0100, Sumit Bose wrote:
> On Fri, Mar 08, 2013 at 12:28:03PM -0500, Nathaniel McCallum wrote:
> > On Fri, 2013-03-08 at 10:27 +0100, Sumit Bose wrote:
> > > On Thu, Mar 07, 2013 at 03:15:18PM -0500, Rob Crittenden wrote:
> > > > Based on a comment from Sumit in ticket
> > > > https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline
> > > > of how one might do it: http://freeipa.org/page/V3/Kerberos_Flags
> > > >
> > > > There is a bit of hand waving going on around how the flags are
> > > > actually set inside the KDB plugin since I'm not at all familiar
> > > > with that code but I don't expect it to be too big a deal.
> > > >
> > > > I'm not necessarily volunteering to do this work, just trying to
> > > > keep the ball moving forward.
> > >
> > > Thank you for setting up the design page. I would like to suggest that
> > > we should try to include all currently available flags in one run,
> > > because:
> > > - some flags related to OTP would be needed as well
> >
> > I'm not aware of any. Are you? I may very well be missing something
> > obvious.
>
> iirc you once mentioned that requires_hwauth is used to signal the
> client that an OTP is needed. But I haven't checked your recent code if
> the flag is added behind the scenes or if it needs to be set for the
> principal.
We chose to abandon this since this flag is passed to the recipients of
the ticket and since OTP doesn't necessarily provide hardware guarantee.
Note that requires_hwauth is an RFC defined flag and admins may wish to
use it, so support for it should probably be present. However, it is
unrelated to OTP at this point.
Nathaniel
More information about the Freeipa-devel
mailing list