OTP, deployability.

Greg Hudson ghudson at MIT.EDU
Thu Jun 16 14:00:43 EDT 2011


On Thu, 2011-06-16 at 13:35 -0400, Roland C. Dowdeswell wrote:
> If one has a large deployed Kerberos infrastructure, it would be
> much easier to deploy it if it did not involve the addition of
> pre-authentication mechanisms but rather was able to work with
> PA-ENC-TIMESTAMP using a single password prompt.

PA-ENC-TIMESTAMP doesn't deliver the password to the KDC; it encrypts
the client's current time in the password.  Is your proposed design that
the KDC just tries decrypting the token in every acceptable OTP value
(or password + OTP value where applicable) and see if one works?  I
don't know if commercial OTP APIs allow the KDC to construct a list of
acceptable OTP values.





More information about the krbdev mailing list