I just noticed the SecurID Preauth Support plugin in MIT Kerberos 1.9 and I was wondering if anyone has been using it yet.
I am specifically interested in the operational and user aspects of supporting this plugin. >From the plugin's Readme: "Once the plugin is installed, set the requires_preauth and potentially requires_hwauth flags for a principal. Then create principal/SECURID as a new principal with a random key. That principal will now require SecurID authentication." >From this and the source, I am thinking that if I create a principal named >'fred' (which corresponds with, say, a unix login named 'fred'), I can enable >SecurID preauth in the manner described and as far as 'fred' is concerned, the >only thing that has changed is that he now has to use his PIN/Token to >successfully preauth, not his old password. The user need never know that >'fred/SECURID' exists and the any tgt's issued by the KDC will have the 'H' >(Hardware authenticated) flag set. Is this accurate? jd ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
