[3711] in Kerberos-V5-bugs
Re: [krbdev.mit.edu #1278] No prompter interface for krb5_get_init_creds_keytab
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Tue Dec 17 16:08:15 2002
From: Marc Horowitz <marc@mit.edu>
To: rt-comment@krbdev.mit.edu
Cc: krb5-prs@mit.edu
In-Reply-To: "kenh@cmf.nrl.navy.mil via RT"'s message of "Tue, 17 Dec 2002 14:54:43 -0500 (EST)"
Message-ID: <t53vg1s2w2u.fsf@horowitz-m1.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Errors-To: krb5-bugs-admin@mit.edu
Date: 17 Dec 2002 16:07:37 -0500
"kenh@cmf.nrl.navy.mil via RT" <rt-comment@krbdev.mit.edu> writes:
>> >>> I need to use a host key in a keytab (hence keytab) as a user's
>> >>> long-term key with a hardware token (user interaction).
>> >
>> >Why do you need to do this? When, in the real world, would this ever
>> >happen?
>>
>> Actually, this is something we do every day here; we want the ability to
>> validate someone's hardware token for root access via sudo. We used the
>> old API before, and I was updating everything to the new API. It's not
>> like I was making this up, you know :-) This is all tied up in the
>> requirement for hardware preauthentication at DOD supercomputer sites.
Now I think I understand. You're just using the keytab because it's
convenient, not because you have some requirement to authenticate as
the specific key in the keytab. You're also trying to avoid making
the user type his password again, even though the user will have to do
the hardware preauth interaction.
For that matter, isn't the hardware token specific to the user? Can
you use an arbitrary user's hardware token with the key in the keytab?
How do you know which token is being used, since the client name in
the as-req is goint to be the name from the keytab? If this is
currently working as you imply, can you explain it so I can understand
it better? Then maybe I can come up with some more clever suggestion.
Marc
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
http://mailman.mit.edu/mailman/listinfo/krb5-bugs
