[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Was a smartcard used to get the ticket?



>If you are using kerberos then you can't know if the card has been  
>removed from the reader subsequent to getting the tgt.  Also if you  
>are using gssapi then you don't have access to the Kerberos-specific  
>status bits and such without breaking the abstraction layer.  (Should  
>we then call it the KSSAPI? ;-)

MIT Kerberos always has some GSSAPI extensions to let you get access to
the various bits of the ticket (I added an extra function here to get
access to the ticket flags).  Seems like it would be easy for Heimdal to
do the same thing.

>Heimdal 0.8-ish does not set the bit when a smart card is used.   
>(After all the KDC only knows you have a PKI cert, it doesn't know  
>where on the client it resides.)  Heimdal klist --verbose shows the  
>flags.

I think this is a bit of a red herring.  Certainly when you associate a
certificate with an account the administrator should know whether or
not it's a soft certificate versus a smart card.  In theory you could
set a bit in your KDC database that says, "Set the hardware preauth bit
when you use this certificate".

--Ken