Gopal,
It is not easy to do. If you are interested, we already have a solution
- see example below :
# kinit talsop
Password for [EMAIL PROTECTED]:
Enter Passcode (PIN+Tokencode) or Tokencode from your SecurID Token:
# klist -ef
Cache Type: Kerberos V5 Credentials Cache
Cache File: /krb5/tmp/cc/krb5cc_0
Cache Version: 0502
Default Principal: [EMAIL PROTECTED]
Valid From Expires Service
Principal
---------------------------- ----------------------------
-----------------
Wed 25 Jul 2007 22:24:51 BST Thu 26 Jul 2007 06:24:41 BST
krbtgt/[EMAIL PROTECTED]
Session Key EType: 5 (DES3-CBC-MD5)
Ticket EType: 5 (DES3-CBC-MD5)
Ticket Flags: IHA
#
Note the H flag in ticket flags - this indicates that hardware token was
used to obtain the TGT.
Thanks,
Tim
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Gopal Paliwal
Sent: 25 July 2007 21:31
To: [email protected]
Subject: Implementing OTP mechanism with existing kerberos
Hi,
I am implementing OTP mechanism in the existing kerberos.
I have set up pre-auth mechanism to authenticate the clients.
Now, the user will be asked password+OTP instead of just password. i
will be
generating this OTP with a hardware token.
Also, i will be encrypting time-stamp with password & OTP.
At the kerberos authentication server, I will be able to generate a OTP.
Now, the problem which I will face is that kerberos doesn't store
passwords
in clear form. & I somehow need to form a key at kerberos authentication
server side to decrypt the time-stamp sent in the AS_REQ message by
user.
That key will be made up of OTP + password.
Can someone point me out the mechanism as to how can I obtain password
in
clear form or other way with which I will be able to resolve my doubt.
-gopal
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
