Two types of passwords

Yair Yarom irush at cs.huji.ac.il
Mon May 14 05:52:44 EDT 2012


Hi all,

We have here two types of passwords, normal and OTP. OTP authentication
should be valid for normal password services, but not the other way
around.

For that I've created two realms: EXAMPLE.COM and OTP.EXAMPLE.COM with
one way cross realm authentication. While it seems to generally work, I
would like to know if it's the correct way to do this. And if it might
have some problems with services wanting user at EXAMPLE.COM but getting
user at OTP.EXAMPLE.COM. And if so, is there some way to solve this?

The second problem I have, is that I want to use normal password from
inside a specific network, but OTP from outside. My thoughts here were
to prevent the EXAMPLE.COM kdc from giving initial tickets from outside
the network. Either by using a different kdc to answer outside requests
with all users have the -allow_tix attribute, or by using a preauth
plugin that refuses outside-the-network users (though for now it seems
that the preauth plugin API doesn't provide this information (please
correct me if I'm wrong)). 

Are these solutions reasonable? is there already a proper way to achieve
this?


Thanks in advance,
    Yair.


More information about the Kerberos mailing list