Kerberos and one-time-passwords
Ian Grant
Ian.Grant at cl.cam.ac.uk
Thu Apr 26 08:51:33 EDT 2007
If we allow users kerberised access to their home directories over NFS
we would like them to be able to login to machines from remote hosts
without exposing their kerberos keys. The only secure way seems to be
via one-time-passwords. Unfortunately our 'KDC' is Microsoft Active
Directory so that isn't possible. Would it have been possible using
MIT or Heimdal kerberos?
Are there any alternatives whereby a trusted agent (daemon) can be
given user's keytabs and can use them to get tickets on the user's
behalf after the users authenticate using one time passwords? We
already have a one time password PAM module so could use this in an
implementation. But I am having difficulty seeing how it could be
done securely. Does anyone have any experience of schemes like this?
Ian Grant
More information about the Kerberos
mailing list