Gopal, Sorry if I mislead you in any way. I don't think I mentioned MIT Kerberos in my email. The product I used is called TrustBroker and is commercially available from CyberSafe, and is not based on MIT or Heimdal, and is not open source. I just wanted to show you so you can see that what you are trying to do can be done ... I also thought you might be interested in a commercially supported solution to meet your two-factor authentication needs. If you plan to continue developing your own solution with MIT then I wish you the best of luck, but if you are interested in our products please let me know. Take care, Tim
________________________________ From: Gopal Paliwal [mailto:[EMAIL PROTECTED] Sent: 25 July 2007 22:44 To: Tim Alsop; [email protected] Subject: Re: Implementing OTP mechanism with existing kerberos hi Tim, It's really nice. i could see that you are able to use hardware tokens with MIT kerberos. If u are comfortable, could you explain me the way you have done it. it will be great. -gopal On 7/25/07, Tim Alsop <[EMAIL PROTECTED]> wrote: Gopal, It is not easy to do. If you are interested, we already have a solution - see example below : # kinit talsop Password for [EMAIL PROTECTED]: Enter Passcode (PIN+Tokencode) or Tokencode from your SecurID Token: # klist -ef Cache Type: Kerberos V5 Credentials Cache Cache File: /krb5/tmp/cc/krb5cc_0 Cache Version: 0502 Default Principal: [EMAIL PROTECTED] Valid From Expires Service Principal ---------------------------- ---------------------------- ----------------- Wed 25 Jul 2007 22:24:51 BST Thu 26 Jul 2007 06:24:41 BST krbtgt/[EMAIL PROTECTED] Session Key EType: 5 (DES3-CBC-MD5) Ticket EType: 5 (DES3-CBC-MD5) Ticket Flags: IHA # Note the H flag in ticket flags - this indicates that hardware token was used to obtain the TGT. Thanks, Tim -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Gopal Paliwal Sent: 25 July 2007 21:31 To: [email protected] Subject: Implementing OTP mechanism with existing kerberos Hi, I am implementing OTP mechanism in the existing kerberos. I have set up pre-auth mechanism to authenticate the clients. Now, the user will be asked password+OTP instead of just password. i will be generating this OTP with a hardware token. Also, i will be encrypting time-stamp with password & OTP. At the kerberos authentication server, I will be able to generate a OTP. Now, the problem which I will face is that kerberos doesn't store passwords in clear form. & I somehow need to form a key at kerberos authentication server side to decrypt the time-stamp sent in the AS_REQ message by user. That key will be made up of OTP + password. Can someone point me out the mechanism as to how can I obtain password in clear form or other way with which I will be able to resolve my doubt. -gopal ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
