On Jun 6, 2007, at 12:06 PM, Nicolas Williams wrote: > On Wed, Jun 06, 2007 at 11:58:38AM -0700, Henry B. Hotz wrote: >> The OTP travels over a TBD link to the KDC. The KDC then uses the >> vendor-provided software to validate the OTP; in other words the >> vendor is validating that the KDC has a valid OTP. > > How is that different than with, say, PAM? How can the OTP server > know > whether its client is a telnet server, or something else? How can it > know that the user is on the client's console, logically or > physically?
pam_krb5 *is* the client. There is no way for the KDC to know if the real user is using unsecured telnet with pam run by telnetd. That's really bad, but its outside the scope of what the KDC is or can be responsible for. ------------------------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
