Douglas Song writes:
>
> I don't know that there would be an easy way to incorporate S/Key into
> Kerberos V4 (what AFS uses) since it lacks the preauthentication exchanges
> that can be used to do challenge/response. If anyone has any ideas on how
> else to do this, I'd love to hear them...
>
There was a thread about this a while back and I think it can be done
fairly easy to do. What about something like:
user(u) wants to login to a workstation(w). w has a srvtab (rcmd.w),
so it makes an authenticated/encrypted request to a special S/Key
server(s) running on a secure box. s sends back the challenge to w
which presents it to u. u types in the reponse, and w forwards it back to
s. If the response is valid s constructs a TGT/AFS Token (it must have
access to the secret key to construct it), and sends it back to w
which hands it over to u.
Something like:
u --> I want to login --> w
w --> gimme u's challenge --> s
s --> here is the challenge --> w
w --> displays challenge --> u
u --> response --> w
w --> response --> s
s --> if valid, update S/Key db and hand back tgt -> w
w --> stuff it in KRBTKFILE, let user login
All communciations between w/s can be secure if w has a srvtab.
Any obvious problems with this? Having a replicated S/Key server could
be a little tricky, or you could just set up multiple independent
ones.
roland
