MIT Kerberos OTP with Windows

Dmitri Pal dpal at redhat.com
Tue Oct 31 08:16:19 EDT 2017


On Mon, Oct 30, 2017 at 9:11 PM, Benjamin Kaduk <kaduk at mit.edu> wrote:

> On Mon, Oct 30, 2017 at 09:05:10AM -0700, Pallissard, Matthew wrote:
> > > any ideas how to implement OTP for Windows with MIT kerberos client?
> possible?
> >
> > I don't know if KFW 4.1 supports OTP but what I do know is that in the
> past I couldn't get PKINIT working with KFW. I had to implement heimdal on
> the client end.
> >
> > https://www.mail-archive.com/kfwdev@mit.edu/msg00822.html
> >
> > Could be related.  Someone here could probably speak to that better than
> myself though.
>
> It's quite related, yes.
>
> The FAST OTP mechanism of RFC 6560 requires a FAST tunnel to exist over
> which the OTP value is sent.  Generally this tunnel is obtained via
> anonymous PKINIT, but PKINIT of all forms is not currently implemented
> in KfW.  In principle, the needed FAST tunnel could be obtained in
> other ways, e.g., via a machine keytab, but the number of situations
> in which these other methods would actually be useful are quite limited.
>


​This is why moving to SPAKE will make OTP easier to accomplish and support
with KfW.​



>
> -Ben
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>


-- 

Thank you,
Dmitri Pal

Engineering Director, Identity Management and Platform Security
Red Hat, Inc.


More information about the Kerberos mailing list