[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos tickets and one time passwords

To: heimdal-discuss <heimdal-discuss@sics.se>
Subject: Re: Kerberos tickets and one time passwords
From: Balazs GAL <balsa@rit.bme.hu>
Date: 28 Feb 2003 21:29:26 +0100
In-Reply-To: <Pine.LNX.4.51.0302281226111.15855@juno.ifh.de>
References: <Pine.LNX.4.44.0302281054320.20635-100000@scs-onime.ictp.trieste.it> <Pine.LNX.4.51.0302281226111.15855@juno.ifh.de>
Sender: owner-heimdal-discuss@sics.se

2003-02-28, p keltezéssel Andreas Haupt ezt írta:
> On Fri, 28 Feb 2003, Onime Clement wrote:
> 
> > Another idea is to use PAM, if your system supports it! then you won't
> > even have to modify login/telnetd. A pam session module could run kinit
> > and then afslog or aklog only after the one time password is accepted.
> 
> Thank you for that tip! I did not know about an existing pam module for
> s/key.
> 
> Do you know such a pam module, that can start user defined programs? Our
> kerberos5 pam module (written by Nalin Dahyabhai) does not seem to be able
> to request initial tickets when taking the key from a keytab.

pam_krb5 never supported the user authentication with keytabs.
The keytab option is for tgt validation. You can check the requested tgt
was spoofed or not. The keytab can contains a
host/hostname.org@YOUR.DOMAIN host principal and pam_krb5
can check the requested tgt with krb5_verify_init_creds.

balsa

p.s: Unfortunately tgt validation is broken in pam_krb5-heimdal-1.3-rc6,
use pam_krb5_snap-2003.02.23.

References:
- Re: Kerberos tickets and one time passwords
  - From: Onime Clement <onime@ictp.trieste.it>
- Re: Kerberos tickets and one time passwords
  - From: Andreas Haupt <ahaupt@ifh.de>

Prev by Date: Re: Kerberos tickets and one time passwords
Prev by thread: Re: Kerberos tickets and one time passwords
Index(es):
- Date
- Thread