On 08/19/2013 06:45 PM, Chris wrote: > I've been experimenting with pkinit, and was wondering if there is a > way to also require the normal kerberos password as well as using a > certificate file. I prefer not to trust the cert alone, but would also > like something more than a password. I can ask people to password > protect their cert key, and that works, but is unenforceable.
I don't believe there's any way to combine PKINIT with Kerberos passwords, no. I think the usual way to enforce this is to issue smart cards, but that obviously carries a cost. There's been a lot of discussion recently on combining multiple preauth mechs, or just combining Kerberos passwords with preauth mechs which don't normally require one (FAST OTP or PKINIT). But I don't know whether those discussions will come to anything specific or when. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
