[33215] in Kerberos
SecurID Preauth Support
daemon@ATHENA.MIT.EDU (John Devitofranceschi)
Thu Feb 17 10:56:55 2011
Date: Thu, 17 Feb 2011 10:56:19 -0500
From: John Devitofranceschi <jdvf@optonline.net>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Message-id: <E7CBBC7F-DFEF-457B-9CDF-03775B9C2FFA@optonline.net>
MIME-version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I just noticed the SecurID Preauth Support plugin in MIT Kerberos 1.9 and I was wondering if anyone has been using it yet.
I am specifically interested in the operational and user aspects of supporting this plugin.
>From the plugin's Readme:
"Once the plugin is installed, set the requires_preauth and potentially requires_hwauth flags for a principal. Then create principal/SECURID as a new principal with a random key. That principal will now require SecurID authentication."
>From this and the source, I am thinking that if I create a principal named 'fred' (which corresponds with, say, a unix login named 'fred'), I can enable SecurID preauth in the manner described and as far as 'fred' is concerned, the only thing that has changed is that he now has to use his PIN/Token to successfully preauth, not his old password. The user need never know that 'fred/SECURID' exists and the any tgt's issued by the KDC will have the 'H' (Hardware authenticated) flag set.
Is this accurate?
jd
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
