[3856] in Kerberos
looking for S/key support for the Kerberos V5 KDC
daemon@ATHENA.MIT.EDU (Craig Leres)
Sun Sep 18 18:22:50 1994
To: kerberos@MIT.EDU
Date: 18 Sep 1994 21:54:56 GMT
From: leres@hot.ee.lbl.gov (Craig Leres)
Reply-To: leres@ee.lbl.gov (ucbvax!leres for uucp weenies)
I see that Kerberos V5 was designed with hand held authenticators in
mind. I'd like to add support for S/key (one time passwords). Can
anyone can give me a pointer to a working implementation? Even a
working smartcard setup would be useful.
I think I understand how to use the preauthentication hooks to send the
one-time password and have the authentication server verify it but
since the ticket that is returned by the AS is encrypted with the
client's key (which you don't have) I don't see how to decrypt it...
It seems like you need to encrypt the ticket with something other than
the client's key. Perhaps you could use a key based on the S/key. Or
else have the AS send the client's key back but you would need to
encrypt it and so you're back to the problem of what key to use.
There's also the little problem of how to get the challenge from the
server before we request the ticket (we need to know which one time
password to send after all) but I figure this can either be done by
adding a request type to the AS or by writing a separate server.
Craig
