On Jun 6, 2007, at 12:58 PM, Nicolas Williams wrote: > On Wed, Jun 06, 2007 at 12:54:20PM -0700, Henry B. Hotz wrote: >> >> On Jun 6, 2007, at 12:06 PM, Nicolas Williams wrote: >> >>> On Wed, Jun 06, 2007 at 11:58:38AM -0700, Henry B. Hotz wrote: >>>> The OTP travels over a TBD link to the KDC. The KDC then uses the >>>> vendor-provided software to validate the OTP; in other words the >>>> vendor is validating that the KDC has a valid OTP. >>> >>> How is that different than with, say, PAM? How can the OTP server >>> know >>> whether its client is a telnet server, or something else? How >>> can it >>> know that the user is on the client's console, logically or >>> physically? >> >> pam_krb5 *is* the client. > > I was thinking of pam_otp.
Ah! Very interesting point. I guess we're in violent agreement about the problem, but I guess an OTP vendor might argue that they've done as much as they can by supplying such a pam module. Only thing I can say is that the client- side OTP "thing" really needs to be fastened to the user, not the app server (telnetd in this example), and that SA's should be smart enough not to subvert the security model. Less than satisfying. This discussion is really taking more time than I should devote to it, I'm afraid. ------------------------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
