aboutsummaryrefslogtreecommitdiff
path: root/crypto/krb5/doc/html/_sources/plugindev/certauth.rst.txt
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/krb5/doc/html/_sources/plugindev/certauth.rst.txt')
-rw-r--r--crypto/krb5/doc/html/_sources/plugindev/certauth.rst.txt36
1 files changed, 0 insertions, 36 deletions
diff --git a/crypto/krb5/doc/html/_sources/plugindev/certauth.rst.txt b/crypto/krb5/doc/html/_sources/plugindev/certauth.rst.txt
deleted file mode 100644
index 3740c5f7b403..000000000000
--- a/crypto/krb5/doc/html/_sources/plugindev/certauth.rst.txt
+++ /dev/null
@@ -1,36 +0,0 @@
-.. _certauth_plugin:
-
-PKINIT certificate authorization interface (certauth)
-=====================================================
-
-The certauth interface was first introduced in release 1.16. It
-allows customization of the X.509 certificate attribute requirements
-placed on certificates used by PKINIT enabled clients. For a detailed
-description of the certauth interface, see the header file
-``<krb5/certauth_plugin.h>``
-
-A certauth module implements the **authorize** method to determine
-whether a client's certificate is authorized to authenticate a client
-principal. **authorize** receives the DER-encoded certificate, the
-requested client principal, and a pointer to the client's
-krb5_db_entry (for modules that link against libkdb5). The method
-must decode the certificate and inspect its attributes to determine if
-it should authorize PKINIT authentication. It returns the
-authorization status and optionally outputs a list of authentication
-indicator strings to be added to the ticket.
-
-Beginning in release 1.19, the authorize method can request that the
-hardware authentication bit be set in the ticket by returning
-**KRB5_CERTAUTH_HWAUTH**. Beginning in release 1.20, the authorize
-method can return **KRB5_CERTAUTH_HWAUTH_PASS** to request that the
-hardware authentication bit be set in the ticket but otherwise defer
-authorization to another certauth module. A module must use its own
-internal or library-provided ASN.1 certificate decoder.
-
-A module can optionally create and destroy module data with the
-**init** and **fini** methods. Module data objects last for the
-lifetime of the KDC process.
-
-If a module allocates and returns a list of authentication indicators
-from **authorize**, it must also implement the **free_ind** method
-to free the list.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-27 03:52:48 +0000