Kerberos and one-time-passwords

Ian Grant Ian.Grant at cl.cam.ac.uk
Fri Apr 27 08:12:26 EDT 2007


On Thu, 26 Apr 2007 11:08:49 -0700
Russ Allbery <rra at stanford.edu> wrote:

> I would use GSSAPI-authenticated ssh?  Hm.  I wonder if SecureCRT can
> do ticket forwarding, though.  It would work great from Unix systems,
> at least.

By 'remote hosts' I mean machines not in our kerberos domain.

ssh with GSS auth and ticket-forwarding works fine locally.

> > Are there any alternatives whereby a trusted agent (daemon) can be
> > given user's keytabs and can use them to get tickets on the user's
> > behalf after the users authenticate using one time passwords?
> 
> Well, you can use:
> 
>     http://www.eyrie.org/~eagle/software/kstart/
>

Thanks, that looks interesting. We have the OTP part in the form of
this:  http://www.cl.cam.ac.uk/~mgk25/otpw.html

> to do the Kerberos authentication part if you work out the OTP part.

> But you have to trust the system with password equivalents for all of
> the users, which seems to somewhat defeat the point.

Well, just the users who are away at the time. I wonder if we were to
just keep renewing their credentials for them while they are away? But
that exposes their files more than they may want.

Most people who have replied to my questions seem to think it's better
to let people type their kerberos key on remote hosts than it is to
make them use a private ssh key from the remote site. I would disagree,
except there seems to be no way to let them at their files once they've
authenticated with a private key!

Ian



More information about the Kerberos mailing list