[38092] in Kerberos
Re: MIT Kerberos OTP with Windows
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Mon Oct 30 21:11:44 2017
Date: Mon, 30 Oct 2017 20:11:25 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: "Pallissard, Matthew" <kerberos@pallissard.net>
Message-ID: <20171031011124.GJ26855@kduck.kaduk.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20171030160510.x252ak675qgcqoix@laptop.ihme.uw.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, Oct 30, 2017 at 09:05:10AM -0700, Pallissard, Matthew wrote:
> > any ideas how to implement OTP for Windows with MIT kerberos client? possible?
>
> I don't know if KFW 4.1 supports OTP but what I do know is that in the past I couldn't get PKINIT working with KFW. I had to implement heimdal on the client end.
>
> https://www.mail-archive.com/kfwdev@mit.edu/msg00822.html
>
> Could be related. Someone here could probably speak to that better than myself though.
It's quite related, yes.
The FAST OTP mechanism of RFC 6560 requires a FAST tunnel to exist over
which the OTP value is sent. Generally this tunnel is obtained via
anonymous PKINIT, but PKINIT of all forms is not currently implemented
in KfW. In principle, the needed FAST tunnel could be obtained in
other ways, e.g., via a machine keytab, but the number of situations
in which these other methods would actually be useful are quite limited.
-Ben
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
