[28107] in Kerberos

home help back first fref pref prev next nref lref last post

RE: Implementing OTP mechanism with existing kerberos

daemon@ATHENA.MIT.EDU (Tim Alsop)
Wed Jul 25 18:38:33 2007

Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Wed, 25 Jul 2007 23:35:08 +0100
Message-ID: <0D8F2EFD3A10E24DAEEA48EA6DA07D30334E3A@postman-pat.csafe.local>
In-Reply-To: <6a113f920707251444nde24d40h10348d56a0fe8492@mail.gmail.com>
From: "Tim Alsop" <Tim.Alsop@CyberSafe.Com>
To: "Gopal Paliwal" <gopalpaliwal@gmail.com>, <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Gopal,
 
Sorry if I mislead you in any way. I don't think I mentioned MIT
Kerberos in my email. The product I used is called TrustBroker and is
commercially available from CyberSafe, and is not based on MIT or
Heimdal, and is not open source. I just wanted to show you so you can
see that what you are trying to do can be done ... I also thought you
might be interested in a commercially supported solution to meet your
two-factor authentication needs. If you plan to continue developing your
own solution with MIT then I wish you the best of luck, but if you are
interested in our products please let me know.
 
Take care,
Tim

________________________________

From: Gopal Paliwal [mailto:gopalpaliwal@gmail.com] 
Sent: 25 July 2007 22:44
To: Tim Alsop; kerberos@mit.edu
Subject: Re: Implementing OTP mechanism with existing kerberos


hi Tim,
 It's really nice.
i could see that you are able to use hardware tokens with MIT kerberos.
If u are comfortable, could you explain me the way you have done it. 
it will be great.
 
-gopal

 
On 7/25/07, Tim Alsop <Tim.Alsop@cybersafe.com> wrote: 

	Gopal,
	
	It is not easy to do. If you are interested, we already have a
solution
	- see example below : 
	
	# kinit talsop
	Password for talsop@SHREK:
	Enter Passcode (PIN+Tokencode) or Tokencode from your SecurID
Token:
	# klist -ef
	         Cache Type: Kerberos V5 Credentials Cache
	         Cache File: /krb5/tmp/cc/krb5cc_0 
	      Cache Version: 0502
	  Default Principal: talsop@SHREK
	
	Valid From                    Expires
Service
	Principal
	----------------------------  ----------------------------
	----------------- 
	Wed 25 Jul 2007 22:24:51 BST  Thu 26 Jul 2007 06:24:41 BST
	krbtgt/SHREK@SHREK
	  Session Key EType:  5 (DES3-CBC-MD5)
	       Ticket EType:  5 (DES3-CBC-MD5)
	       Ticket Flags: IHA
	#
	
	Note the H flag in ticket flags - this indicates that hardware
token was 
	used to obtain the TGT.
	
	Thanks,
	Tim
	
	-----Original Message-----
	From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu
] On
	Behalf Of Gopal Paliwal
	Sent: 25 July 2007 21:31
	To: kerberos@mit.edu
	Subject: Implementing OTP mechanism with existing kerberos
	
	Hi,
	
	I am implementing OTP mechanism in the existing kerberos. 
	I have set up pre-auth mechanism to authenticate the clients.
	Now, the user will be asked password+OTP instead of just
password. i
	will be
	generating this OTP with a hardware token.
	
	Also, i will be encrypting time-stamp with password & OTP. 
	At the kerberos authentication server, I will be able to
generate a OTP.
	
	Now, the problem which I will face is that kerberos doesn't
store
	passwords
	in clear form. & I somehow need to form a key at kerberos
authentication 
	server side to decrypt the time-stamp sent in the AS_REQ message
by
	user.
	That key will be made up of OTP + password.
	Can someone point me out the mechanism as to how can I obtain
password
	in
	clear form or other way with which I will be able to resolve my
doubt. 
	
	-gopal
	________________________________________________
	Kerberos mailing list           Kerberos@mit.edu
	https://mailman.mit.edu/mailman/listinfo/kerberos 
	


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post