Implementing OTP mechanism with existing kerberos

Tim Alsop Tim.Alsop at CyberSafe.Com
Wed Jul 25 18:35:08 EDT 2007 

Gopal,
 
Sorry if I mislead you in any way. I don't think I mentioned MIT
Kerberos in my email. The product I used is called TrustBroker and is
commercially available from CyberSafe, and is not based on MIT or
Heimdal, and is not open source. I just wanted to show you so you can
see that what you are trying to do can be done ... I also thought you
might be interested in a commercially supported solution to meet your
two-factor authentication needs. If you plan to continue developing your
own solution with MIT then I wish you the best of luck, but if you are
interested in our products please let me know.
 
Take care,
Tim

________________________________

From: Gopal Paliwal [mailto:gopalpaliwal at gmail.com] 
Sent: 25 July 2007 22:44
To: Tim Alsop; kerberos at mit.edu
Subject: Re: Implementing OTP mechanism with existing kerberos


hi Tim,
 It's really nice.
i could see that you are able to use hardware tokens with MIT kerberos.
If u are comfortable, could you explain me the way you have done it. 
it will be great.
 
-gopal

 
On 7/25/07, Tim Alsop <Tim.Alsop at cybersafe.com> wrote: 

	Gopal,
	
	It is not easy to do. If you are interested, we already have a
solution
	- see example below : 
	
	# kinit talsop
	Password for talsop at SHREK:
	Enter Passcode (PIN+Tokencode) or Tokencode from your SecurID
Token:
	# klist -ef
	         Cache Type: Kerberos V5 Credentials Cache
	         Cache File: /krb5/tmp/cc/krb5cc_0 
	      Cache Version: 0502
	  Default Principal: talsop at SHREK
	
	Valid From                    Expires
Service
	Principal
	----------------------------  ----------------------------
	----------------- 
	Wed 25 Jul 2007 22:24:51 BST  Thu 26 Jul 2007 06:24:41 BST
	krbtgt/SHREK at SHREK
	  Session Key EType:  5 (DES3-CBC-MD5)
	       Ticket EType:  5 (DES3-CBC-MD5)
	       Ticket Flags: IHA
	#
	
	Note the H flag in ticket flags - this indicates that hardware
token was 
	used to obtain the TGT.
	
	Thanks,
	Tim
	
	-----Original Message-----
	From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu
] On
	Behalf Of Gopal Paliwal
	Sent: 25 July 2007 21:31
	To: kerberos at mit.edu
	Subject: Implementing OTP mechanism with existing kerberos
	
	Hi,
	
	I am implementing OTP mechanism in the existing kerberos. 
	I have set up pre-auth mechanism to authenticate the clients.
	Now, the user will be asked password+OTP instead of just
password. i
	will be
	generating this OTP with a hardware token.
	
	Also, i will be encrypting time-stamp with password & OTP. 
	At the kerberos authentication server, I will be able to
generate a OTP.
	
	Now, the problem which I will face is that kerberos doesn't
store
	passwords
	in clear form. & I somehow need to form a key at kerberos
authentication 
	server side to decrypt the time-stamp sent in the AS_REQ message
by
	user.
	That key will be made up of OTP + password.
	Can someone point me out the mechanism as to how can I obtain
password
	in
	clear form or other way with which I will be able to resolve my
doubt. 
	
	-gopal
	________________________________________________
	Kerberos mailing list           Kerberos at mit.edu
	https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list