[38013] in Kerberos
Re: Kerberos OTP with FreeRadius
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Fri Jul 7 08:07:57 2017
Date: Fri, 7 Jul 2017 07:07:34 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Felix Weissbeck <contact-kerberos@w7k.de>
Message-ID: <20170707120734.GJ80947@kduck.kaduk.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <9932119.xzEs4vG1OH@mutant>
Cc: "Brennecke, Simon" <simon.brennecke@sap.com>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, Jul 07, 2017 at 11:04:47AM +0200, Felix Weissbeck wrote:
>
> The "problem" hereby is, that you can now obtain a kerberos ticket with your
> second factor alone; so you could configure PAM to successfully authenticate
> with password+token.
Yes, the FAST/OTP preauthentication mechanism from RFC 6560 uses only
the OTP factor, which makes it a great solution if you already have
deployed OTP infrastructure and need to add a kerberos solution for
your site. For using OTP as a second factor, it's not really an option.
The current thinking in this space is that the SPAKE preauth scheme
in https://datatracker.ietf.org/doc/draft-ietf-kitten-krb-spake-preauth/
will fill this void, allowing a second factor to be mixed in with a
PAKE password-based preauth, that does not expose anything encrypted
in password-based keys directly on the wire (so as to stymie brute-force
attacks).
-Ben
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos