[prev in list] [next in list] [prev in thread] [next in thread]
List: krbdev
Subject: Re: KDB access to auth indicators (was Re: Proposed libkrb5 APIs for name attributes)
From: Alexander Bokovoy <abokovoy () redhat ! com>
Date: 2019-08-08 6:01:49
Message-ID: 20190808060149.GE28772 () redhat ! com
[Download RAW message or body]
On ke, 07 elo 2019, Greg Hudson wrote:
>On 8/3/19 4:08 AM, Alexander Bokovoy wrote:
>> So, if there would be a way to pass a mutable list of authentication
>> indicators to fetch_kdb_authdata() (which would pass it to a KDB's
>> sign_authdata callback) and add it to the ticket reply afterwards, that
>> would solve our case.
>
>Please have a look at https://github.com/krb5/krb5/pull/965 and see if
>that will work.
Thanks. This looks good. I'm at Flock conference this week but I'll try
to change FreeIPA to see if it works for OTP tokens, i.e. if I would be
able to deny access to a specific Samba share if user doesn't possess
2FA asserted SID in the MS-PAC.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic