[16906] in Kerberos_V5_Development
Re: OTP, deployability.
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Jun 16 14:00:47 2011
From: Greg Hudson <ghudson@mit.edu>
To: "Roland C. Dowdeswell" <elric@imrryr.org>
In-Reply-To: <20110616173538.GF12572@mournblade.imrryr.org>
Date: Thu, 16 Jun 2011 14:00:43 -0400
Message-ID: <1308247243.2281.270.camel@t410>
Mime-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Thu, 2011-06-16 at 13:35 -0400, Roland C. Dowdeswell wrote:
> If one has a large deployed Kerberos infrastructure, it would be
> much easier to deploy it if it did not involve the addition of
> pre-authentication mechanisms but rather was able to work with
> PA-ENC-TIMESTAMP using a single password prompt.
PA-ENC-TIMESTAMP doesn't deliver the password to the KDC; it encrypts
the client's current time in the password. Is your proposed design that
the KDC just tries decrypting the token in every acceptable OTP value
(or password + OTP value where applicable) and see if one works? I
don't know if commercial OTP APIs allow the KDC to construct a list of
acceptable OTP values.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
