[38093] in Kerberos
Re: MIT Kerberos OTP with Windows
daemon@ATHENA.MIT.EDU (Oleksandr Yermolenko)
Tue Oct 31 02:35:41 2017
Date: Tue, 31 Oct 2017 08:35:05 +0200
From: Oleksandr Yermolenko <aae@sumix.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <20171031083505.78fa2d1c@aae-stu.taras.crp>
In-Reply-To: <20171031011124.GJ26855@kduck.kaduk.org>
MIME-Version: 1.0
Cc: "Pallissard, Matthew" <kerberos@pallissard.net>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
thanks for your notes and direction
Oleksandr Yermolenko
On Mon, 30 Oct 2017 20:11:25 -0500
Benjamin Kaduk <kaduk@mit.edu> wrote:
> On Mon, Oct 30, 2017 at 09:05:10AM -0700, Pallissard, Matthew wrote:
> > > any ideas how to implement OTP for Windows with MIT kerberos
> > > client? possible?
> >
> > I don't know if KFW 4.1 supports OTP but what I do know is that in
> > the past I couldn't get PKINIT working with KFW. I had to implement
> > heimdal on the client end.
> >
> > https://www.mail-archive.com/kfwdev@mit.edu/msg00822.html
> >
> > Could be related. Someone here could probably speak to that better
> > than myself though.
>
> It's quite related, yes.
>
> The FAST OTP mechanism of RFC 6560 requires a FAST tunnel to exist
> over which the OTP value is sent. Generally this tunnel is obtained
> via anonymous PKINIT, but PKINIT of all forms is not currently
> implemented in KfW. In principle, the needed FAST tunnel could be
> obtained in other ways, e.g., via a machine keytab, but the number of
> situations in which these other methods would actually be useful are
> quite limited.
>
> -Ben
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
