[39444] in Kerberos
Re: one time password integration
daemon@ATHENA.MIT.EDU (Charles Hedrick via Kerberos)
Wed Jul 31 17:15:32 2024
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
CC: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Wed, 31 Jul 2024 21:14:18 +0000
Message-ID: <1E98FA5C-E26F-4CD3-B9F6-FCA729E19BC4@rutgers.edu>
In-Reply-To: <202407312038.46VKcXkl031026@hedwig.cmf.nrl.navy.mil>
Content-Language: en-US
MIME-Version: 1.0
From: Charles Hedrick via Kerberos <kerberos@mit.edu>
Reply-To: Charles Hedrick <hedrick@rutgers.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Yes, a data gets a service ticket.
> On Jul 31, 2024, at 4:55 PM, Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
>
>
>>
>> One surprise in doing all of this is that there seems to be no standard
>> utility to let us see the auth indicator for the user's credentials. I'm
>> probably doing to use one of the test programs (adata). It seems to be
>> complicated by having the auth indicator in the encrypted part of the
>> ticket.
>
> If you are using the GSSAPI to authenticate, there's a way (it's kind
> of complicated and weird, like the rest of the GSSAPI). There's not a
> native way to do that with the Kerberos API; on my list is to submit a
> patch to MIT to expose the necessary API (there's a lot of things on
> that list, so don't wait for me). However, if you're interested in
> looking at authentication indicators in TGTs, I'm not sure there's a
> way to verify the AD-CAMMAC container in a TGT; you'd need to look at
> a service ticket (which I suppose you would already have if you were
> verifying a Kerberos password).
>
> --Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos