Implementing OTP mechanism with existing kerberos

Tim Alsop Tim.Alsop at CyberSafe.Com
Wed Jul 25 17:27:51 EDT 2007 

Gopal,

It is not easy to do. If you are interested, we already have a solution
- see example below :

# kinit talsop
Password for talsop at SHREK:
Enter Passcode (PIN+Tokencode) or Tokencode from your SecurID Token:
# klist -ef
          Cache Type: Kerberos V5 Credentials Cache
          Cache File: /krb5/tmp/cc/krb5cc_0
       Cache Version: 0502
   Default Principal: talsop at SHREK

Valid From                    Expires                       Service
Principal
----------------------------  ----------------------------
-----------------
Wed 25 Jul 2007 22:24:51 BST  Thu 26 Jul 2007 06:24:41 BST
krbtgt/SHREK at SHREK
   Session Key EType:  5 (DES3-CBC-MD5)
        Ticket EType:  5 (DES3-CBC-MD5)
        Ticket Flags: IHA
#

Note the H flag in ticket flags - this indicates that hardware token was
used to obtain the TGT.

Thanks,
Tim 

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Gopal Paliwal
Sent: 25 July 2007 21:31
To: kerberos at mit.edu
Subject: Implementing OTP mechanism with existing kerberos

Hi,

I am implementing OTP mechanism in the existing kerberos.
I have set up pre-auth mechanism to authenticate the clients.
Now, the user will be asked password+OTP instead of just password. i
will be
generating this OTP with a hardware token.

Also, i will be encrypting time-stamp with password & OTP.
At the kerberos authentication server, I will be able to generate a OTP.

Now, the problem which I will face is that kerberos doesn't store
passwords
in clear form. & I somehow need to form a key at kerberos authentication
server side to decrypt the time-stamp sent in the AS_REQ message by
user.
That key will be made up of OTP + password.
Can someone point me out the mechanism as to how can I obtain password
in
clear form or other way with which I will be able to resolve my doubt.

-gopal
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list