Implementing OTP mechanism with existing kerberos

Gopal Paliwal gopalpaliwal at gmail.com
Wed Jul 25 17:44:05 EDT 2007 

hi Tim,
 It's really nice.
i could see that you are able to use hardware tokens with MIT kerberos.
If u are comfortable, could you explain me the way you have done it.
it will be great.

-gopal


On 7/25/07, Tim Alsop <Tim.Alsop at cybersafe.com> wrote:
>
> Gopal,
>
> It is not easy to do. If you are interested, we already have a solution
> - see example below :
>
> # kinit talsop
> Password for talsop at SHREK:
> Enter Passcode (PIN+Tokencode) or Tokencode from your SecurID Token:
> # klist -ef
>          Cache Type: Kerberos V5 Credentials Cache
>          Cache File: /krb5/tmp/cc/krb5cc_0
>       Cache Version: 0502
>   Default Principal: talsop at SHREK
>
> Valid From                    Expires                       Service
> Principal
> ----------------------------  ----------------------------
> -----------------
> Wed 25 Jul 2007 22:24:51 BST  Thu 26 Jul 2007 06:24:41 BST
> krbtgt/SHREK at SHREK
>   Session Key EType:  5 (DES3-CBC-MD5)
>        Ticket EType:  5 (DES3-CBC-MD5)
>        Ticket Flags: IHA
> #
>
> Note the H flag in ticket flags - this indicates that hardware token was
> used to obtain the TGT.
>
> Thanks,
> Tim
>
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of Gopal Paliwal
> Sent: 25 July 2007 21:31
> To: kerberos at mit.edu
> Subject: Implementing OTP mechanism with existing kerberos
>
> Hi,
>
> I am implementing OTP mechanism in the existing kerberos.
> I have set up pre-auth mechanism to authenticate the clients.
> Now, the user will be asked password+OTP instead of just password. i
> will be
> generating this OTP with a hardware token.
>
> Also, i will be encrypting time-stamp with password & OTP.
> At the kerberos authentication server, I will be able to generate a OTP.
>
> Now, the problem which I will face is that kerberos doesn't store
> passwords
> in clear form. & I somehow need to form a key at kerberos authentication
> server side to decrypt the time-stamp sent in the AS_REQ message by
> user.
> That key will be made up of OTP + password.
> Can someone point me out the mechanism as to how can I obtain password
> in
> clear form or other way with which I will be able to resolve my doubt.
>
> -gopal
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list