freeipa

Clone
Source Code
GIT

e8a7e2e ipa-kdb: add pkinit authentication indicator in case of a successful certauth

1 file Authored by abbra 6 years ago, Committed by mbabinsk 6 years ago,
raw patch tree parent
1 file changed. 34 lines added. 2 lines removed.
daemons/ipa-kdb/ipa_kdb_certauth.c
file modified
+34 -2 
    ipa-kdb: add pkinit authentication indicator in case of a successful certauth
    
    We automatically add 'otp' and 'radius' authentication indicators when
    pre-authentication with OTP or RADIUS did succeed. Do the same for
    certauth-based pre-authentication (PKINIT).
    
    A default PKINIT configuration does not add any authentication
    indicators unless 'pkinit_indicator = pkinit' is set in kdc.conf.
    Unfortunately, modifying kdc.conf automatically is a bit more
    complicated than modifying krb5.conf. Given that we have 'otp' and
    'radius' authentication indicators also defined in the code not in the
    kdc.conf, this change is following an established trend.
    
    SSSD certauth interface does not provide additional information about
    which rule(s) succeeded in matching the incoming certificate. Thus,
    there is not much information we can automatically provide in the
    indicator. It would be good to generate indicators that include some
    information from the certmapping rules in future but for now a single
    'pkinit' indicator is enough.
    
    Fixes https://pagure.io/freeipa/issue/6736
    
    Reviewed-By: Simo Sorce <ssorce@redhat.com>
file modified
+34 -2
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.