Pre-authentication with SecurID

Henry B. Hotz hotz at
Wed Aug 18 19:14:48 EDT 2010

I'm glad to hear that CyberSafe is working with RSA on an implementation.  Since this is the MIT Kerberos list, let me give you a more MIT-centric answer.  For some more general background see my presentation at

Assuming you want to do it yourself, then you need to:

Install current-version MIT code.

Write client and server pre-auth plugins to support the current OTP draft.  Choose the protocol options which send the token value directly, since you won't have any special support from RSA, and the KDC will just be an ordinary RSA client.  There will be some extra TBD work on the KDC to connect principal names to RSA identities.

You can test the plugins with kinit -T ...

In order to actually use the OTP during a login you will need to modify the login process on the machines in question.  Specifically you want to use the local host keytab to get a tgt to initialize the FAST exchange for the user.  Most likely this means extra features for pam_krb5.  I'm sure Russ Albery would be receptive of patches to his pam_krb5, but he had not received any the last I asked him.

Let us know if you get anything working!!

On Aug 18, 2010, at 9:03 AM, krbdev-request at wrote:

> Date: Tue, 17 Aug 2010 13:10:32 -0400
> From: Jonathan Reams <jr3074 at>
> Subject: Pre-authentication with SecurID
> To: krbdev at
> Message-ID: <CCFB1B11-679D-4791-9837-79E8A6C4382B at>
> Content-Type: text/plain; charset=us-ascii
> I'm trying to set up RSA SecurID to protect kerberos principals, and I heard that people are doing this as a form of pre-authentication. If you want to get a ticket for a root principal, the KDC returns HWAUTH_REQUIRED and then something happens that talks to RSA SecurID to verify your token, and then you get your ticket. I see the requires_hwauth principal attribute, and I see the KDC honors that flag, but it's unclear how you actually make it useful. Has anyone ever done anything with this? If not, is the pre-auth plugin framework mature enough that it would be worth writing a plugin? Any thoughts or advice would be appreciated. Thanks!
> Jonathan Reams
> Assoc. Systems Engineer
> Columbia University
> jreams at
> 212-851-2871

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list