What's missing in fast-otp?

Linus Nordberg linus at nordu.net
Mon Jul 18 11:14:21 EDT 2011

Greg Hudson <ghudson at mit.edu> wrote
Mon, 18 Jul 2011 10:11:33 -0400:

| > - Standard compliance and completeness -- we're far from implementing
| >   all of draft-ietf-krb-wg-otp-preauth
| What is not implemented?  What kinds of tokens will be precluded by the
| lack of support?

At the moment, there's only 4-pass with OTP sent in the request.
There's also no support for PIN change.  It's been tested with software
HOTP tokens and Yubikey in OATH mode as well as "yubikey" mode.

| * Is there any way to set up this plugin for use without back-end
| integration with IPA?  If not, this may make it difficult to create test
| cases.

IPA being the generic term "identity and policy management" or something
more specific?

All KDC configuration goes into krb5.conf and the kdb.  OTP verification
is being done by external services like a http server or a "yubikey
server" (which both need some configuration, naturally).

I've been thinking of doing a native HOTP implementation, unless some
other kind of device comes my way first.  This might be good for a more
autonomous test environment.

More information about the krbdev mailing list