[5688] in Kerberos
Re: Preauthentication
daemon@ATHENA.MIT.EDU (Glenn Machin)
Sat Aug 12 15:22:42 1995
From: Glenn Machin <gmachin@sahp044.sandia.gov>
To: hartmans@MIT.EDU (Sam Hartman)
Date: Sat, 12 Aug 95 13:13:35 MDT
Cc: kerberos@MIT.EDU
In-Reply-To: <199508112236.SAA14300@tertius.mit.edu>; from "Sam Hartman" at Aug 11, 95 6:36 pm
>
>
> Finally, an attacker can always grab padata as people kinit,
> although this is somewhat more difficult than the attacker actively
> requesting tickets. The real answer is to have good passwords and possibly
> hardware preauth.
>
> --Sam
>
We are using the padata to pass a SecurID passcode over to the KDC for
validation, and in turn setting the TKT_FLG_HW_AUTH flag. Granted you
must supply both your kerberos password and a passcode, but if you want
the additional level of authentication, such as on some bastion host it
comes in real handy.
Glenn
