Pre-authentication with SecurID
Jonathan Reams
jr3074 at columbia.edu
Tue Aug 17 13:10:32 EDT 2010
I'm trying to set up RSA SecurID to protect kerberos principals, and I heard that people are doing this as a form of pre-authentication. If you want to get a ticket for a root principal, the KDC returns HWAUTH_REQUIRED and then something happens that talks to RSA SecurID to verify your token, and then you get your ticket. I see the requires_hwauth principal attribute, and I see the KDC honors that flag, but it's unclear how you actually make it useful. Has anyone ever done anything with this? If not, is the pre-auth plugin framework mature enough that it would be worth writing a plugin? Any thoughts or advice would be appreciated. Thanks!
Jonathan Reams
Assoc. Systems Engineer
Columbia University
jreams at columbia.edu
212-851-2871
More information about the krbdev
mailing list