[3666] in Kerberos
S/KEY integrated with Kerberos?
daemon@ATHENA.MIT.EDU (Clifford Neuman)
Mon Aug 8 13:02:34 1994
Date: Mon, 8 Aug 1994 09:51:22 -0700
From: Clifford Neuman <bcn@ISI.EDU>
To: hendrick@ctron.com
Cc: kerberos@MIT.EDU
In-Reply-To: "James R. Hendrick"'s message of Mon, 8 Aug 1994 12:32:19 -0400 <199408081632.MAA00837@marlins.ctron.com>
Date: Mon, 8 Aug 1994 12:32:19 -0400
From: "James R. Hendrick" <hendrick@ctron.com>
If I am missing something here, please help me understand. Why can't
the KDC store the user's S/Key (keyinit) passphrase similarly to how a
standalone machine does so it can derive the proper sequence of
passphrases on demand. This would require keeping an additional
database of S/Key (initial) passphrases and sequence IDs (aka
/etc/skeykeys)
It was I that missed something in your original proposal. Yes, what
you describe does work and it does provide some benefit over just
using Kerberos passwords, but it is not really S/Key. With a normal
system running S/Key, the initial passphrase is not stored on the
system. Instead, the Nth (example 101th) pass phrase is stored, but
the 100th must be provided by the user. When the 100th is provided
and verified, it is stored for use in verifying the 99th.
~ Cliff
