On Tue, 2015-06-02 at 21:11 -0400, Ken Hornstein wrote: > > Today we use password based authentication (kinit). And we want to > > introduce PKinit. But while validating ServiceTicket we would like to know > > if the service ticket issued through Kinit to PKinit > > > > Is there a way to find this? > > We sort-of do this, but it may not directly be applicable. > > Our KDC-side PKINIT module will set HW-AUTH flag on the TGT _if_ a particular > policy OID is found in the client certificate (in our case, the policy > OID we check for is if the certificate comes from a smartcard, so the > use of HW-AUTH is appropriate). Flags set in a TGT get propagated to > service tickets, so we have code on application servers that checks to see > if the HW-AUTH flag exists for service tickets to make authorization > decisions. > > So, you could do that (if your client-side certificates is issued from > a hardware device), or overload the HW-AUTH flag. Checking that on the > application server side is easy. > > But ... if you don't want to do that, you MAY be able to check the service > ticket for the AD_INITIAL_VERIFIED_CAS authorization data (although a quick > glance suggests to me that MIT Kerberos doesn't generate that data, but > I could be wrong about that). That would require further investigation.
There is work to actually provide this kind of information here: https://tools.ietf.org/html/draft-ietf-kitten-krb-auth-indicator-00 Hopefully this will be approved soon, implementation is underway. Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos