Alexander Bokovoy wrote:
On Wed, 05 Oct 2011, Dmitri Pal wrote:
At least, according to IETF draft on OTP preauth with kerberos,
client has to submit next key if clocks have drifted which implies you
cannot re-use the same OTP next time. To me this looks like in OTP
case clocks synchronization is very important. In our OTP case it does
not matter except for an artificial delay...
This is not Kerberos OTP, it does an LDAP simple bind.
It is more like a "nonce", it is not an OTP that can be generated based
on some hardware or software token.
The Kerberos OTP draft is about those OTPs we are not. We are literally
One Time Password.
Does it also mean if clocks were skewed, you would not have next
chance to use the same password again? If that's the case, it is
better to wait a second or three for time sync.
The password is deleted on the bind, it isn't time sensitive. I'm fine
with any potential delay since the message is printed.
Freeipa-devel mailing list