[28103] in Kerberos
Re: Implementing OTP mechanism with existing kerberos
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed Jul 25 17:21:24 2007
Message-ID: <46A7BEC4.4000909@anl.gov>
Date: Wed, 25 Jul 2007 16:21:08 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Gopal Paliwal <gopalpaliwal@gmail.com>
In-Reply-To: <6a113f920707251331o2c2f3d8ci55df6fb770aa8fd2@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Gopal Paliwal wrote:
> Hi,
>
> I am implementing OTP mechanism in the existing kerberos.
> I have set up pre-auth mechanism to authenticate the clients.
> Now, the user will be asked password+OTP instead of just password. i will be
> generating this OTP with a hardware token.
>
> Also, i will be encrypting time-stamp with password & OTP.
> At the kerberos authentication server, I will be able to generate a OTP.
>
> Now, the problem which I will face is that kerberos doesn't store passwords
> in clear form. & I somehow need to form a key at kerberos authentication
> server side to decrypt the time-stamp sent in the AS_REQ message by user.
> That key will be made up of OTP + password.
> Can someone point me out the mechanism as to how can I obtain password in
> clear form or other way with which I will be able to resolve my doubt.
>
Google for IETF Kerberos OTP
and start with
http://www.ietf.org/internet-drafts/draft-richards-otp-kerberos-03.txt
This covers a lot of the issues, it is not an easy problem.
> -gopal
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos