OTP, deployability.

[Dmitri Pal]

On 06/16/2011 02:00 PM, Greg Hudson wrote:
> On Thu, 2011-06-16 at 13:35 -0400, Roland C. Dowdeswell wrote:
>> If one has a large deployed Kerberos infrastructure, it would be
>> much easier to deploy it if it did not involve the addition of
>> pre-authentication mechanisms but rather was able to work with
>> PA-ENC-TIMESTAMP using a single password prompt.
> PA-ENC-TIMESTAMP doesn't deliver the password to the KDC; it encrypts
> the client's current time in the password.  Is your proposed design that
> the KDC just tries decrypting the token in every acceptable OTP value
> (or password + OTP value where applicable) and see if one works?  I
> don't know if commercial OTP APIs allow the KDC to construct a list of
> acceptable OTP values.
>
>

No sane vendor would do this. Being a part of one for many years I know
that it can only be the other way around: have a client side API that
would get the encrypted or hashed OTP, send it to the OTP server and
then OTP server would do the validation.
This was thought to be a long shot and nobody did that as it required
significant changes to the client library and vendor internal protocols.
Too much effort for the vendors.
Instead they did the OTP draft. IMO this is the way to go. Nothing
better will be available for a foreseeable future. Yes it requires
changes on KDC and on the client. Yes they will be slow. Yes there are
all sort of limitations. But at least we are working on it as we speak.
If you are really interested please help with the Authentication Hub
project.


> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/