[38095] in Kerberos
Re: MIT Kerberos OTP with Windows
daemon@ATHENA.MIT.EDU (Dmitri Pal)
Tue Oct 31 10:21:52 2017
MIME-Version: 1.0
In-Reply-To: <20171031011124.GJ26855@kduck.kaduk.org>
From: Dmitri Pal <dpal@redhat.com>
Date: Tue, 31 Oct 2017 08:16:19 -0400
Message-ID: <CAOPuEqWkPW4f2=oiLQTK-BX1AskZcbEr+BgA-WKaUiwzcbSt8A@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: "Pallissard, Matthew" <kerberos@pallissard.net>, kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Mon, Oct 30, 2017 at 9:11 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> On Mon, Oct 30, 2017 at 09:05:10AM -0700, Pallissard, Matthew wrote:
> > > any ideas how to implement OTP for Windows with MIT kerberos client?
> possible?
> >
> > I don't know if KFW 4.1 supports OTP but what I do know is that in the
> past I couldn't get PKINIT working with KFW. I had to implement heimdal on
> the client end.
> >
> > https://www.mail-archive.com/kfwdev@mit.edu/msg00822.html
> >
> > Could be related. Someone here could probably speak to that better than
> myself though.
>
> It's quite related, yes.
>
> The FAST OTP mechanism of RFC 6560 requires a FAST tunnel to exist over
> which the OTP value is sent. Generally this tunnel is obtained via
> anonymous PKINIT, but PKINIT of all forms is not currently implemented
> in KfW. In principle, the needed FAST tunnel could be obtained in
> other ways, e.g., via a machine keytab, but the number of situations
> in which these other methods would actually be useful are quite limited.
>
This is why moving to SPAKE will make OTP easier to accomplish and support
with KfW.
>
> -Ben
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
--
Thank you,
Dmitri Pal
Engineering Director, Identity Management and Platform Security
Red Hat, Inc.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
