[6865] in Kerberos
SUMMARY - Combining Kerberos/DCE with SecureId/SKey authentication
daemon@ATHENA.MIT.EDU (Ed Hill)
Mon Mar 11 14:51:18 1996
To: kerberos@MIT.EDU
Date: 11 Mar 1996 10:55:32 -0600
From: edhill@strobe.weeg.uiowa.edu (Ed Hill)
Date: March 11th, 1996
Recently I asked if anyone had integrated S/Key or SecurID into Kerberos or
DCE. The following is a quick summary of the responses that I got both via
Usenet and via E-mail. Now that we live in a world of Alta Vista and DejaNews,
I figure it would be easier to summarize responses now, rather then try to
answer someone's question 2 years from now when I have long since forgotten 8-)
* The biggest standards based movement in this area is being done by the
IETF-CAT WG. The current draft of their work can be found at:
ftp://ds.internic.net/internet-drafts/draft-ietf-cat-kerberos-passwords-02.txt
* Sandia National Laboratories developed an interface in Kerberos 5b2 for
utilizing Security Dynamics SecurID. That code was passed along to the
MIT folks for consideration.
* The Cygnus version of Kerberos V4 has support for authenticating a user via
an SNK card. (http://www.cygnus.com/data/cns/)
* Cyber Safe (a Kerberos vendor) has kinit and kdc's which support SecurID.
They also have a draft RFC to extend the K5 protocol to accommodate secondary
authentication methods. (joek@cybersafe.com)
* The Army Research Lab is doing work on integrating both SecurID and public
key cryptography methods into the KDC (not sure which version). Their
work will be proposed to the IETF-CAT WG. This project is still in
development, but they would be willing to share alpha code for those
interested.
So in summary, there are standards bodies looking at this problem. So
hopefully long term, this will get integrated into Kerberos/DCE. Short term
there are vendors who do provide this type of support in their current
implementations of Kerberos (Cygnus and Cyber Safe). I didn't get any
responses about integrating OTPs into DCE.
Thanks to everyone who responded to my question, hopefully this little summary
will be useful to others looking into the same problem.
-Ed Hill (ed-hill@uiowa.edu)
Systems Administrator - Information Technology Services - University of Iowa
"I am Homer of Borg, prepare to be assim... Ooooooooh donuts!"
