one time password integration
Ken Hornstein
kenh at cmf.nrl.navy.mil
Wed Jul 31 16:38:32 EDT 2024
>One surprise in doing all of this is that there seems to be no standard
>utility to let us see the auth indicator for the user's credentials. I'm
>probably doing to use one of the test programs (adata). It seems to be
>complicated by having the auth indicator in the encrypted part of the
>ticket.
If you are using the GSSAPI to authenticate, there's a way (it's kind
of complicated and weird, like the rest of the GSSAPI). There's not a
native way to do that with the Kerberos API; on my list is to submit a
patch to MIT to expose the necessary API (there's a lot of things on
that list, so don't wait for me). However, if you're interested in
looking at authentication indicators in TGTs, I'm not sure there's a
way to verify the AD-CAMMAC container in a TGT; you'd need to look at
a service ticket (which I suppose you would already have if you were
verifying a Kerberos password).
--Ken
More information about the Kerberos
mailing list