>> We sort-of do this, but it may not directly be applicable. >> >> Our KDC-side PKINIT module will set HW-AUTH flag on the TGT _if_ a particular >> policy OID is found in the client certificate (in our case, the policy >> OID we check for is if the certificate comes from a smartcard, so the >> use of HW-AUTH is appropriate). Flags set in a TGT get propagated to >> service tickets, so we have code on application servers that checks to see >> if the HW-AUTH flag exists for service tickets to make authorization >> decisions.
Hi, Simo, Does this require to modify MIT KDC source code? Thanks Jim > On Jun 2, 2015, at 7:36 PM, Simo Sorce <s...@redhat.com> wrote: > > On Tue, 2015-06-02 at 21:11 -0400, Ken Hornstein wrote: >>> Today we use password based authentication (kinit). And we want to >>> introduce PKinit. But while validating ServiceTicket we would like to know >>> if the service ticket issued through Kinit to PKinit >>> >>> Is there a way to find this? >> >> We sort-of do this, but it may not directly be applicable. >> >> Our KDC-side PKINIT module will set HW-AUTH flag on the TGT _if_ a particular >> policy OID is found in the client certificate (in our case, the policy >> OID we check for is if the certificate comes from a smartcard, so the >> use of HW-AUTH is appropriate). Flags set in a TGT get propagated to >> service tickets, so we have code on application servers that checks to see >> if the HW-AUTH flag exists for service tickets to make authorization >> decisions. >> >> So, you could do that (if your client-side certificates is issued from >> a hardware device), or overload the HW-AUTH flag. Checking that on the >> application server side is easy. >> >> But ... if you don't want to do that, you MAY be able to check the service >> ticket for the AD_INITIAL_VERIFIED_CAS authorization data (although a quick >> glance suggests to me that MIT Kerberos doesn't generate that data, but >> I could be wrong about that). That would require further investigation. > > There is work to actually provide this kind of information here: > https://tools.ietf.org/html/draft-ietf-kitten-krb-auth-indicator-00 > > Hopefully this will be approved soon, implementation is underway. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
