Pre-authentication with SecurID

Jonathan Reams jr3074 at
Tue Aug 17 13:10:32 EDT 2010

I'm trying to set up RSA SecurID to protect kerberos principals, and I heard that people are doing this as a form of pre-authentication. If you want to get a ticket for a root principal, the KDC returns HWAUTH_REQUIRED and then something happens that talks to RSA SecurID to verify your token, and then you get your ticket. I see the requires_hwauth principal attribute, and I see the KDC honors that flag, but it's unclear how you actually make it useful. Has anyone ever done anything with this? If not, is the pre-auth plugin framework mature enough that it would be worth writing a plugin? Any thoughts or advice would be appreciated. Thanks!

Jonathan Reams
Assoc. Systems Engineer
Columbia University
jreams at

More information about the krbdev mailing list