OTP, deployability.
Greg Hudson
ghudson at MIT.EDU
Thu Jun 16 14:00:43 EDT 2011
On Thu, 2011-06-16 at 13:35 -0400, Roland C. Dowdeswell wrote:
> If one has a large deployed Kerberos infrastructure, it would be
> much easier to deploy it if it did not involve the addition of
> pre-authentication mechanisms but rather was able to work with
> PA-ENC-TIMESTAMP using a single password prompt.
PA-ENC-TIMESTAMP doesn't deliver the password to the KDC; it encrypts
the client's current time in the password. Is your proposed design that
the KDC just tries decrypting the token in every acceptable OTP value
(or password + OTP value where applicable) and see if one works? I
don't know if commercial OTP APIs allow the KDC to construct a list of
acceptable OTP values.
More information about the krbdev
mailing list