[4198] in Kerberos
Re: Kerberos w/ one-time passwords?
daemon@ATHENA.MIT.EDU (Christopher Davis)
Tue Nov 15 17:35:59 1994
To: kerberos@MIT.EDU
Date: 15 Nov 1994 22:14:24 GMT
From: ckd@loiosh.kei.com (Christopher Davis)
TL> == Ted Lemon <mellon@ipd.wellsfargo.com>
TL> So you need a login program that will accept s/key passwords. [...]
TL> So hack telnetd so that if it doesn't successfully authenticate with
TL> Kerberos, it invokes /bin/login with an argument that tells it to ask
TL> for an s/key password.
You should be able to do this with the Kerberized telnetd (available from
MIT) and the logdaemon package (available from ftp.win.tue.nl).
The logdaemon login can be configured to require s/key on all logins over
the network--but if the telnetd gives it the "he's authenticated" flag it
won't require s/key (this allows Kerberized logins).
For belt and suspenders, you can also add a tcpwrapper so that only
certain sites (say, JUST the conference terminals) can connect to your
telnetd in the first place.
Then, if you bring a laptop with Kerberos, you can log in over an
encrypted telnet session and do "important" stuff; most of the time, you
can just pull out your preprinted s/key list to do stuff like check mail
(important security info in mail probably shouldn't be in cleartext) or
read news.
--
Christopher Davis * <ckd@kei.com> | "It's 106 ms to Chicago, we've got a full
http://www.kei.com/homepages/ckd/ | disk of GIFs, half a meg of hypertext,
* MIME * PGP * WWW * [CKD1] * | it's dark, and we're wearing sunglasses."
| "Click it." -- <bluesbros@bluesbros.com>
