MIT Kerberos OTP with Windows

Benjamin Kaduk kaduk at mit.edu
Mon Oct 30 21:11:25 EDT 2017


On Mon, Oct 30, 2017 at 09:05:10AM -0700, Pallissard, Matthew wrote:
> > any ideas how to implement OTP for Windows with MIT kerberos client? possible?
> 
> I don't know if KFW 4.1 supports OTP but what I do know is that in the past I couldn't get PKINIT working with KFW. I had to implement heimdal on the client end.
> 
> https://www.mail-archive.com/kfwdev@mit.edu/msg00822.html
> 
> Could be related.  Someone here could probably speak to that better than myself though.

It's quite related, yes.

The FAST OTP mechanism of RFC 6560 requires a FAST tunnel to exist over
which the OTP value is sent.  Generally this tunnel is obtained via
anonymous PKINIT, but PKINIT of all forms is not currently implemented
in KfW.  In principle, the needed FAST tunnel could be obtained in
other ways, e.g., via a machine keytab, but the number of situations
in which these other methods would actually be useful are quite limited.

-Ben


More information about the Kerberos mailing list