[krbdev.mit.edu #1278] No prompter interface for krb5_get_init_creds_keytab
Marc Horowitz
marc at MIT.EDU
Tue Dec 17 16:07:37 EST 2002
"kenh at cmf.nrl.navy.mil via RT" <rt-comment at krbdev.mit.edu> writes:
>> >>> I need to use a host key in a keytab (hence keytab) as a user's
>> >>> long-term key with a hardware token (user interaction).
>> >
>> >Why do you need to do this? When, in the real world, would this ever
>> >happen?
>>
>> Actually, this is something we do every day here; we want the ability to
>> validate someone's hardware token for root access via sudo. We used the
>> old API before, and I was updating everything to the new API. It's not
>> like I was making this up, you know :-) This is all tied up in the
>> requirement for hardware preauthentication at DOD supercomputer sites.
Now I think I understand. You're just using the keytab because it's
convenient, not because you have some requirement to authenticate as
the specific key in the keytab. You're also trying to avoid making
the user type his password again, even though the user will have to do
the hardware preauth interaction.
For that matter, isn't the hardware token specific to the user? Can
you use an arbitrary user's hardware token with the key in the keytab?
How do you know which token is being used, since the client name in
the as-req is goint to be the name from the keytab? If this is
currently working as you imply, can you explain it so I can understand
it better? Then maybe I can come up with some more clever suggestion.
Marc
More information about the krb5-bugs
mailing list