[16071] in Kerberos_V5_Development
Re: Pre-authentication with SecurID
daemon@ATHENA.MIT.EDU (Henry B. Hotz)
Wed Aug 18 19:14:54 2010
Mime-Version: 1.0 (Apple Message framework v1081)
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
In-Reply-To: <mailman.457.1282147435.14595.krbdev@mit.edu>
Date: Wed, 18 Aug 2010 16:14:48 -0700
Message-Id: <05EC5497-1058-4C18-B155-6BF3D5C2B6B0@jpl.nasa.gov>
To: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
I'm glad to hear that CyberSafe is working with RSA on an implementation. Since this is the MIT Kerberos list, let me give you a more MIT-centric answer. For some more general background see my presentation at http://workshop.openafs.org/afsbpw10/thu_3_1.html.
Assuming you want to do it yourself, then you need to:
Install current-version MIT code.
Write client and server pre-auth plugins to support the current OTP draft. Choose the protocol options which send the token value directly, since you won't have any special support from RSA, and the KDC will just be an ordinary RSA client. There will be some extra TBD work on the KDC to connect principal names to RSA identities.
You can test the plugins with kinit -T ...
In order to actually use the OTP during a login you will need to modify the login process on the machines in question. Specifically you want to use the local host keytab to get a tgt to initialize the FAST exchange for the user. Most likely this means extra features for pam_krb5. I'm sure Russ Albery would be receptive of patches to his pam_krb5, but he had not received any the last I asked him.
Let us know if you get anything working!!
On Aug 18, 2010, at 9:03 AM, krbdev-request@mit.edu wrote:
> Date: Tue, 17 Aug 2010 13:10:32 -0400
> From: Jonathan Reams <jr3074@columbia.edu>
> Subject: Pre-authentication with SecurID
> To: krbdev@mit.edu
> Message-ID: <CCFB1B11-679D-4791-9837-79E8A6C4382B@columbia.edu>
> Content-Type: text/plain; charset=us-ascii
>
> I'm trying to set up RSA SecurID to protect kerberos principals, and I heard that people are doing this as a form of pre-authentication. If you want to get a ticket for a root principal, the KDC returns HWAUTH_REQUIRED and then something happens that talks to RSA SecurID to verify your token, and then you get your ticket. I see the requires_hwauth principal attribute, and I see the KDC honors that flag, but it's unclear how you actually make it useful. Has anyone ever done anything with this? If not, is the pre-auth plugin framework mature enough that it would be worth writing a plugin? Any thoughts or advice would be appreciated. Thanks!
>
> Jonathan Reams
> Assoc. Systems Engineer
> Columbia University
> jreams@columbia.edu
> 212-851-2871
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
