Pre-authentication with SecurID

Tim Alsop Tim at
Tue Aug 17 13:36:58 EDT 2010


To make RSA Auth Manager work with Kerberos using the OTP pre-auth draft and pre-auth framework (e.g. FAST) changes need to be made to the RSA Auth Manager so that the KDC can interface with it differently to what is normally required, when using standard/existing RSA products. We are working with RSA to make this happen, and we are changing our product so that it will work using this new interface. Our product is a commercially available implementation of Kerberos, not based on MIT or Heimdal. 

Also, we have a pre-auth RSA SecurID solution working with our KDC and client software, which is based on an older draft for OTP. There are many differences, but the most notable is that this method still requires the users Kerberos password when authenticating. The new OTP draft uses FAST so that the users Kerberos password is not needed anymore, which most people prefer - they just want the user to enter tokencode and user name.

I am not aware of any implementaitons of MIT which are already available and working as described above.

From: krbdev-bounces at [krbdev-bounces at] On Behalf Of Jonathan Reams [jr3074 at]
Sent: 17 August 2010 18:10
To: krbdev at
Subject: Pre-authentication with SecurID

I'm trying to set up RSA SecurID to protect kerberos principals, and I heard that people are doing this as a form of pre-authentication. If you want to get a ticket for a root principal, the KDC returns HWAUTH_REQUIRED and then something happens that talks to RSA SecurID to verify your token, and then you get your ticket. I see the requires_hwauth principal attribute, and I see the KDC honors that flag, but it's unclear how you actually make it useful. Has anyone ever done anything with this? If not, is the pre-auth plugin framework mature enough that it would be worth writing a plugin? Any thoughts or advice would be appreciated. Thanks!

Jonathan Reams
Assoc. Systems Engineer
Columbia University
jreams at
krbdev mailing list             krbdev at

More information about the krbdev mailing list