New tl_data type

Linus Nordberg linus at
Thu Sep 1 18:32:11 EDT 2011

Dmitri Pal <dpal at> wrote
Thu, 01 Sep 2011 15:35:40 -0400:

| > Another option is to add kadmin support in 1.10 specifically for OTP
| > metadata; this might be more focused code, but does require us to nail
| > down what we want the OTP metadata to be.

I'm fine with that.

| I will try to craft some of the ideas about what kind of data this can
| be and send it out before the weekend.


This is what we're doing right now, from
src/plugins/preauth/otp/otp_main.c.  This could need some more thinking.
For example, if the token id really should encode the token type as
suggested, perhaps we should be able to deduce the authentication method
from that?  And should the OATH scheme really be used for the token id?

--8<---------------cut here---------------start------------->8---
  A successful OTP authentication follows this process on the KDC.

  (1) The kdb is searched for an OTP token identity (KRB5_TL_OTP_ID),
      matching what might be found in preauth attribute "OTP_TOKENID".

  (2) An authentication method, i.e. a function, is picked from the
      result of (1).

  (3) The kdb is searched for an OTP method data blob
      (KRB5_TL_OTP_BLOB) matching the token id used.

  (4) The authentication method from (2) is invoked with the binary
      blob from (3).

  (5) The result from (4) is returned.

  Two new tl-data types are defined for the krbExtraData field in the
  Kerberos database, KRB5_TL_OTP_ID and KRB5_TL_OTP_BLOB.

  KRB5_TL_OTP_ID is a string with two parts separated by a colon.


    otp-token-id identifies a unique token on the form of a class A
    OATH token identifier as specified in MMTTUUUUUUUU, where
    M=manufacturer, T=token type and U=manufacturer unique id.

    method-name identifies the method to use for authentication
    (f.ex. "basicauth", "ykclient" or "nativehotp").  The method name
    maps to a function in the OTP plugin or possibly in a second-level
    plugin.  A method may use the prefix "otp_<method-name>_" for
    profile names in krb5.conf.

  KRB5_TL_OTP_BLOB is a binary blob tagged with a token id.


    otp-token-id is the same token identifier as found in a

    binary-blob is a binary blob passed to the authentication method
    chosen based on the KRB5_TL_OTP_ID.

  A token id may be passed to the KDC using the pre-authentication
  attribute OTP_TOKENID ("kinit -X OTP_TOKENID=mytoken ...").  If no
  OTP_TOKENID is provided, the first KRB5_TL_OTP_ID found is being
--8<---------------cut here---------------end--------------->8---

More information about the krbdev mailing list