[27350] in Kerberos
Re: One Time Identification, a request for comments/testing.
daemon@ATHENA.MIT.EDU (Ken Renard)
Fri Feb 2 13:23:16 2007
In-Reply-To: <200701310603.l0V639Iu028764@wind.enjellic.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Message-Id: <41189CE9-71F0-4602-A290-E708D0D6BF4F@wareonearth.com>
From: Ken Renard <kdrenard@wareonearth.com>
Date: Fri, 2 Feb 2007 09:48:16 -0500
To: g.w@hurderos.org
Cc: dev@directory.apache.org, krbdev@mit.edu, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> The identity token is included in an identification payload which
> is symmetrically encrypted and included in the AS_REQ authorization
> field.
Any reason why this couldn't be implemented as a preauthentication
type (especially with the PAL in 1.6)? Might give you more
flexibility with respect to multiple exchanges or when a principal
requires this type of authentication. This might even fit into the
SAM(2) preauth type.
Operationally, users might just stick their USB key in and leave it
there (same as copying to filesystem). From there, it's just
filesystem privileges that separate an attacker from the real user.
-Ken Renard
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos