[4174] in Kerberos
Re: Kerberos w/ one-time passwords?
daemon@ATHENA.MIT.EDU (Shawn Mamros)
Mon Nov 14 10:27:24 1994
To: kerberos@MIT.EDU
Date: Mon, 14 Nov 1994 10:08:47
From: mamros@ftp.com (Shawn Mamros)
Reply-To: mamros@ftp.com
jgs@yurt.merit.edu (John Scudder) writes:
>Has anyone done a version of Kerberos that authenticates users with
>one-time passwords?
>
>I realize that this would require some changes to the protocol. I
>can't imagine that we're the only ones for whom Kerberos's reliance on
>multi-use passwords is a major problem, though.
For V5, it wouldn't require any changes to the protocol, just some
use of the optional fields in the protocol (most likely the pre-
authentication data field) that already exist.
I could easily picture a challenge-response type of system being
supported - the request for such a system would have to be transmitted
by the client in the pre-authentication field, then the KDC would
generate the challenge and proper repsonse, use the response to derive
a key in which the "secret" part of the authentication service reply
is encrypted, then place the challenge in the pre-authentication field
of the reply. kinit would have to be modified to echo out the challenge
and receive the response (which, of course, could only happen after
a reply comes back from the KDC), and derive the proper key from the
response (assuming the response is correct).
A few months back, there was some discussion on how S/Key support could
be integrated into V5. Again, it required use of the pre-authentication
field. I don't know of any actual code available publicly to do this
yet, though.
Since V4 doesn't have a pre-authentication field, or really any sort
of optional field capable of accomodating additional data, it probably
isn't very practical to try to do this sort of thing with V4. Yet,
somewhere in the back recesses of my mind, I vaguely recall that somebody
had come up with a means to do it with V4, though I think it required
use of either an "auxilliary" protocol or multiple requests. I'll try
to see if I can dig that posting out of my archives (but don't hold
your breath for it...).
-Shawn Mamros
E-mail to: mamros@ftp.com
