[3671] in Kerberos
Re: S/KEY integrated with Kerberos?
daemon@ATHENA.MIT.EDU (Bill Sommerfeld)
Mon Aug 8 15:24:34 1994
To: stripes@uunet.uu.net
Cc: sommerfeld@apollo.hp.com, hendrick@ctron.com, bcn@isi.edu,
kerberos@MIT.EDU
In-Reply-To: Your message of "Mon, 8 Aug 1994 14:51:37 -0400 (EDT)"
Date: Mon, 08 Aug 1994 15:09:04 -0400
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
No, I didn't miss this, I just didn't mention it.
The number of KDC replicas per realm is typically small, so the
expansion factor is also small. Unless your vision is lousy, one can
easily fit several hundred S/Key one-time passwords on a single sheet
of paper. Also, you need not do an S/Key registration with every
replica.. just a subset of them sufficient to ensure that S/key
information for you will be available when you need it (see below).
It also is a problem when a new KDC is installed.
Well, actually, no, it isn't necessarily.
Any S/Key + Kerberos protocol exchange would likely take the following
form:
client machine -> KDC: give me the sequence number,seed for user "A"
KDC->client machine: 42,KDC1
(client machine prompts user for S/Key response)
client machine -> same KDC: authentication message containing S/key
response.
KDC->client machine: authentication response containing TGT.
Now, given that both message exchanges have to be with the same
replica site, "fixing" it to deal with a new replica which doesn't
know about you is easy.. if a KDC's response to the first message was
an error message ("I don't know you"), then you're clearly talking to
a "new" replica, and you should retry the exchange with a different
replica.
- Bill
