[14583] in Kerberos
Kerberos and Two-Factor Authentication
daemon@ATHENA.MIT.EDU (Jad S. Boutros)
Fri Jun 22 21:15:57 2001
From: "Jad S. Boutros" <jad@stanfordalumni.org>
Date: Fri, 22 Jun 2001 17:58:23 -0700
Message-ID: <Pine.GSO.4.31.0106221729430.14546-100000@saga1.Stanford.EDU>
To: kerberos@MIT.EDU
I would like some info regarding how we can integrate a two-factor
authentication solution with Kerberos.
During the initial login, the user will need to provide his password and
some kind of one time token (say using SecurID). After that, I assume that
everything else should remain the same given that the TGT is used instead
of the credentials [well, the kerberos password change for example may or
may not require a one-time token but that's not too important].
I guess there is no simple way in the protocol for the login client to
forward the one-time token to the KDC and have the KDC validate it with
the (two-factor) authentication server. This probably means that the login
client will have to communicate with the auth. server directly during the
login "handshake".
Are there any such implementations available? Any info appreciated.
Thanks. jad.
