[4197] in Kerberos
Re: Kerberos w/ one-time passwords?
daemon@ATHENA.MIT.EDU (John DiMarco)
Tue Nov 15 15:26:44 1994
To: kerberos@MIT.EDU
Date: Tue, 15 Nov 1994 18:37:41 GMT
From: jdd@cdf.toronto.edu (John DiMarco)
jgs@yurt.merit.edu (John Scudder) writes:
>Has anyone done a version of Kerberos that authenticates users with
>one-time passwords?
>I realize that this would require some changes to the protocol. I
>can't imagine that we're the only ones for whom Kerberos's reliance on
>multi-use passwords is a major problem, though.
There's one large fundamental problem with integrating one-time passwords and
Kerberos. Let me illustrate:
Assume Alice is talking to a kerberized machine over an insecure link. She
wants to authenticate herself using a one-time password. She presents her
one-time password to kinit for authentication. Bob is listening in, and
wants to masquerade as Alice. Before kinit manages to do anything with
Alice's one-time password, Bob grabs it, passes it to his own kinit, and
authenticates himself as Alice.
The reason this approach doesn't work with Kerberos is that the password
never passes over the wire in the clear. But the whole point of one-time
passwords is to permit them to pass over the wire in the clear.
Regards,
John
--
John DiMarco <jdd@cdf.toronto.edu> Office: EA201B
Computing Disciplines Facility Systems Manager Phone: 416-978-1928
University of Toronto Fax: 416-978-1931
http://www.cdf.toronto.edu/personal/jdd/jdd.html
