[16067] in Kerberos_V5_Development
Pre-authentication with SecurID
daemon@ATHENA.MIT.EDU (Jonathan Reams)
Tue Aug 17 13:10:36 2010
From: Jonathan Reams <jr3074@columbia.edu>
Date: Tue, 17 Aug 2010 13:10:32 -0400
Message-Id: <CCFB1B11-679D-4791-9837-79E8A6C4382B@columbia.edu>
To: krbdev@mit.edu
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
I'm trying to set up RSA SecurID to protect kerberos principals, and I heard that people are doing this as a form of pre-authentication. If you want to get a ticket for a root principal, the KDC returns HWAUTH_REQUIRED and then something happens that talks to RSA SecurID to verify your token, and then you get your ticket. I see the requires_hwauth principal attribute, and I see the KDC honors that flag, but it's unclear how you actually make it useful. Has anyone ever done anything with this? If not, is the pre-auth plugin framework mature enough that it would be worth writing a plugin? Any thoughts or advice would be appreciated. Thanks!
Jonathan Reams
Assoc. Systems Engineer
Columbia University
jreams@columbia.edu
212-851-2871
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
