Greg, * Greg Hudson (ghud...@mit.edu) wrote: > I can think of several things to worry about with that:
Thanks for your thoughts! It strikes me that the KDC has all the pieces needed to make the decision. The only question is if the right parts have the necessary information to check. My gut feeling is that the SAM2 module should be able to tell if FAST is being used and, if not, refuse to allow progress to go forward. This would have to be configurable on the KDC side, of course, but I think it would address the concerns you raised. I've not looked at any of the code associated with this yet, but I plan to do so over the next few days to see if my suggestion above can be implemented. Regarding configuration management and trusting the securID implementation- those are certainly valid concerns and should be documented. I'm confident in our securID implementation (which includes both long PINs and long token values) and feel we can manage the configuration pieces (particularly ensuring that we only set 'simple' passwords on princs which have require_hwauth set; perhaps we could set a policy of some kind associated with that..). Thanks again! Stephen
signature.asc
Description: Digital signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos