Implementing OTP mechanism with existing kerberos

Douglas E. Engert deengert at anl.gov
Wed Jul 25 17:21:08 EDT 2007



Gopal Paliwal wrote:
> Hi,
> 
> I am implementing OTP mechanism in the existing kerberos.
> I have set up pre-auth mechanism to authenticate the clients.
> Now, the user will be asked password+OTP instead of just password. i will be
> generating this OTP with a hardware token.
> 
> Also, i will be encrypting time-stamp with password & OTP.
> At the kerberos authentication server, I will be able to generate a OTP.
> 
> Now, the problem which I will face is that kerberos doesn't store passwords
> in clear form. & I somehow need to form a key at kerberos authentication
> server side to decrypt the time-stamp sent in the AS_REQ message by user.
> That key will be made up of OTP + password.
> Can someone point me out the mechanism as to how can I obtain password in
> clear form or other way with which I will be able to resolve my doubt.
> 

Google for  IETF Kerberos OTP
and start with
http://www.ietf.org/internet-drafts/draft-richards-otp-kerberos-03.txt
This covers a lot of the issues, it is not an easy problem.


> -gopal
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list