OTP Support in MIT Kerberos

Henry B. Hotz hotz at jpl.nasa.gov
Fri Jul 28 18:46:32 EDT 2006

On Jul 27, 2006, at 4:23 PM, Henry B. Hotz wrote:

> Is there any S/KEY or other one-time-password support available for  
> the MIT Kerberos distribution?

I see from the responses that I was nowhere near clear enough in  
posing that question.  Let me elaborate in any case.

I'm interested in PKINIT-capable smart cards, really, but I won't be  
able to use them for a couple of years, and I want something better  
than a password to use sooner than that.  I'm probably going to need  
something that will work where a smart card won't anyway.  For  
example, an Internet Kiosk with a badly configured web browser.

I need something that *looks* like a simple password for something  
like an LDAP simple bind.  While use of SAM is not out of the  
question, a query/response cycle with the real user is not always  

In order to be a significant improvement over a password it should  
use something like a PIN (OK, I know that's really a password itself)  
in addition to the OTP value.  That makes it a kind of two-factor  

What's in my head as an ideal solution is a modified form of S/KEY.   
The user types a memorized PIN concatenated with an entry from the  

RSA time-based tokens could be OK, but their existing API causes  
other problems.  A hardware token that requires you to enter a  
varying challenge value only works if the challenge arrives "out of  
band" somehow.

"Soft" tokens are preferred to "hard" tokens, if tokens are needed,  
though undetected theft becomes an issue.  It might be possible to  
make my internet kiosk example work with a java applet, but I'm not  
sure I know all the concerns to address there.

I'm willing to bend a lot of these requirements if someone else is  
doing something related.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the krbdev mailing list