[17047] in Kerberos_V5_Development
Re: What's missing in fast-otp?
daemon@ATHENA.MIT.EDU (Linus Nordberg)
Mon Jul 18 11:16:10 2011
To: krbdev@mit.edu
From: Linus Nordberg <linus@nordu.net>
Date: Mon, 18 Jul 2011 17:14:21 +0200
Message-ID: <87wrffhb8y.fsf@nordberg.se>
Mime-Version: 1.0
X-Complaints-To: usenet@dough.gmane.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Greg Hudson <ghudson@mit.edu> wrote
Mon, 18 Jul 2011 10:11:33 -0400:
| > - Standard compliance and completeness -- we're far from implementing
| > all of draft-ietf-krb-wg-otp-preauth
|
| What is not implemented? What kinds of tokens will be precluded by the
| lack of support?
At the moment, there's only 4-pass with OTP sent in the request.
There's also no support for PIN change. It's been tested with software
HOTP tokens and Yubikey in OATH mode as well as "yubikey" mode.
| * Is there any way to set up this plugin for use without back-end
| integration with IPA? If not, this may make it difficult to create test
| cases.
IPA being the generic term "identity and policy management" or something
more specific?
All KDC configuration goes into krb5.conf and the kdb. OTP verification
is being done by external services like a http server or a "yubikey
server" (which both need some configuration, naturally).
I've been thinking of doing a native HOTP implementation, unless some
other kind of device comes my way first. This might be good for a more
autonomous test environment.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
