Kerberos and one-time-passwords

Russ Allbery rra at stanford.edu
Thu Apr 26 14:08:49 EDT 2007


Ian Grant <Ian.Grant at cl.cam.ac.uk> writes:

> If we allow users kerberised access to their home directories over NFS
> we would like them to be able to login to machines from remote hosts
> without exposing their kerberos keys. The only secure way seems to be
> via one-time-passwords.

I would use GSSAPI-authenticated ssh?  Hm.  I wonder if SecureCRT can do
ticket forwarding, though.  It would work great from Unix systems, at
least.

> Are there any alternatives whereby a trusted agent (daemon) can be
> given user's keytabs and can use them to get tickets on the user's
> behalf after the users authenticate using one time passwords?

Well, you can use:

    http://www.eyrie.org/~eagle/software/kstart/

to do the Kerberos authentication part if you work out the OTP part.  But
you have to trust the system with password equivalents for all of the
users, which seems to somewhat defeat the point.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list