diff options
author | Ken Hornstein <kenh@cmf.nrl.navy.mil> | 2021-09-30 17:10:06 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2021-10-28 15:43:19 -0400 |
commit | d22ed9b9216b35b0bd7cc0bfc9fea37060c273ec (patch) | |
tree | efea09e2da793029c3d1408db3fe426be6252b76 /doc | |
parent | e557f051d1605ee980b136cae020866873ffb223 (diff) | |
download | krb5-d22ed9b9216b35b0bd7cc0bfc9fea37060c273ec.zip krb5-d22ed9b9216b35b0bd7cc0bfc9fea37060c273ec.tar.gz krb5-d22ed9b9216b35b0bd7cc0bfc9fea37060c273ec.tar.bz2 |
Support KRB5_CERTAUTH_HWAUTH_PASS in certauth
If a certauth module returns KRB5_CERTAUTH_HWAUTH_PASS, the certauth
accumulator sets the hw-authent flag in the ticket (like it would for
KRB5_CERTAUTH_HWAUTH), but defers authorization to other modules (like
it would for KRB5_PLUGIN_NO_HANDLE).
[ghudson@mit.edu: simplify tests by removing the HWAUTH returns from
the test2 module and allowing it to pass by authenticating as nocert]
Diffstat (limited to 'doc')
-rw-r--r-- | doc/plugindev/certauth.rst | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/doc/plugindev/certauth.rst b/doc/plugindev/certauth.rst index 3b715f7..7a7a077 100644 --- a/doc/plugindev/certauth.rst +++ b/doc/plugindev/certauth.rst @@ -18,7 +18,10 @@ authorization status and optionally outputs a list of authentication indicator strings to be added to the ticket. Beginning in release 1.19, the authorize method can request that the hardware authentication bit be set in the ticket by returning -**KRB5_CERTAUTH_HWAUTH**. A module must use its own internal or +**KRB5_CERTAUTH_HWAUTH**. Beginning in release 1.20, the authorize method +can return **KRB5_CERTAUTH_HWAUTH_PASS** to request that the hardware +authentication bit be set in the ticket but otherwise defer authorization +to another certauth module. A module must use its own internal or library-provided ASN.1 certificate decoder. A module can optionally create and destroy module data with the |