Hi all, We have here two types of passwords, normal and OTP. OTP authentication should be valid for normal password services, but not the other way around.
For that I've created two realms: EXAMPLE.COM and OTP.EXAMPLE.COM with one way cross realm authentication. While it seems to generally work, I would like to know if it's the correct way to do this. And if it might have some problems with services wanting [email protected] but getting [email protected]. And if so, is there some way to solve this? The second problem I have, is that I want to use normal password from inside a specific network, but OTP from outside. My thoughts here were to prevent the EXAMPLE.COM kdc from giving initial tickets from outside the network. Either by using a different kdc to answer outside requests with all users have the -allow_tix attribute, or by using a preauth plugin that refuses outside-the-network users (though for now it seems that the preauth plugin API doesn't provide this information (please correct me if I'm wrong)). Are these solutions reasonable? is there already a proper way to achieve this? Thanks in advance, Yair. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
