[28107] in Kerberos
RE: Implementing OTP mechanism with existing kerberos
daemon@ATHENA.MIT.EDU (Tim Alsop)
Wed Jul 25 18:38:33 2007
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Wed, 25 Jul 2007 23:35:08 +0100
Message-ID: <0D8F2EFD3A10E24DAEEA48EA6DA07D30334E3A@postman-pat.csafe.local>
In-Reply-To: <6a113f920707251444nde24d40h10348d56a0fe8492@mail.gmail.com>
From: "Tim Alsop" <Tim.Alsop@CyberSafe.Com>
To: "Gopal Paliwal" <gopalpaliwal@gmail.com>, <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Gopal,
Sorry if I mislead you in any way. I don't think I mentioned MIT
Kerberos in my email. The product I used is called TrustBroker and is
commercially available from CyberSafe, and is not based on MIT or
Heimdal, and is not open source. I just wanted to show you so you can
see that what you are trying to do can be done ... I also thought you
might be interested in a commercially supported solution to meet your
two-factor authentication needs. If you plan to continue developing your
own solution with MIT then I wish you the best of luck, but if you are
interested in our products please let me know.
Take care,
Tim
________________________________
From: Gopal Paliwal [mailto:gopalpaliwal@gmail.com]
Sent: 25 July 2007 22:44
To: Tim Alsop; kerberos@mit.edu
Subject: Re: Implementing OTP mechanism with existing kerberos
hi Tim,
It's really nice.
i could see that you are able to use hardware tokens with MIT kerberos.
If u are comfortable, could you explain me the way you have done it.
it will be great.
-gopal
On 7/25/07, Tim Alsop <Tim.Alsop@cybersafe.com> wrote:
Gopal,
It is not easy to do. If you are interested, we already have a
solution
- see example below :
# kinit talsop
Password for talsop@SHREK:
Enter Passcode (PIN+Tokencode) or Tokencode from your SecurID
Token:
# klist -ef
Cache Type: Kerberos V5 Credentials Cache
Cache File: /krb5/tmp/cc/krb5cc_0
Cache Version: 0502
Default Principal: talsop@SHREK
Valid From Expires
Service
Principal
---------------------------- ----------------------------
-----------------
Wed 25 Jul 2007 22:24:51 BST Thu 26 Jul 2007 06:24:41 BST
krbtgt/SHREK@SHREK
Session Key EType: 5 (DES3-CBC-MD5)
Ticket EType: 5 (DES3-CBC-MD5)
Ticket Flags: IHA
#
Note the H flag in ticket flags - this indicates that hardware
token was
used to obtain the TGT.
Thanks,
Tim
-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu
] On
Behalf Of Gopal Paliwal
Sent: 25 July 2007 21:31
To: kerberos@mit.edu
Subject: Implementing OTP mechanism with existing kerberos
Hi,
I am implementing OTP mechanism in the existing kerberos.
I have set up pre-auth mechanism to authenticate the clients.
Now, the user will be asked password+OTP instead of just
password. i
will be
generating this OTP with a hardware token.
Also, i will be encrypting time-stamp with password & OTP.
At the kerberos authentication server, I will be able to
generate a OTP.
Now, the problem which I will face is that kerberos doesn't
store
passwords
in clear form. & I somehow need to form a key at kerberos
authentication
server side to decrypt the time-stamp sent in the AS_REQ message
by
user.
That key will be made up of OTP + password.
Can someone point me out the mechanism as to how can I obtain
password
in
clear form or other way with which I will be able to resolve my
doubt.
-gopal
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos