[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos tickets and one time passwords

On Fri, Feb 28, 2003 at 10:27:19AM +0100, Andreas Haupt wrote:
> On Fri, 28 Feb 2003, Brian May wrote:
> > On Fri, Feb 28, 2003 at 08:17:37AM +0100, Andreas Haupt wrote:
> > > for some reason we need a (telnet) login with one time passwords. The
> > > problem is, that you don't get a kerberos ticket with the telnet supplied
> > > with heimdal. Users have to do klog to work on their AFS home directories,
> > > so the clear password is transmitted over the network.
> > >
> > > I thought of modifying the telnetd source to let it automatically do a
> > > kinit. The keys of those users are stored in a keytab file on the telnet
> > > server. All I have to do is something like "kinit -k -t <keytab file>"
> > > after the user logged in properly with his one time password.
> >
> > I wouldn't modify telnetd, login might be better.
> OK. This place looks better somehow.

(sorry for the delay, I was on vacation last week)
We have developed a service for "transformation" of OTP's to krb5 tickets,
it's based on SASL and krb525 mechanisms. This way we are able to create krb5
tickets for users authenticated via OTP without requiring the users to store
their keys into keytabs. We also adapted the libotp library from Heimdal to
support this service, so only relinking of the login program (which supports
OTP authentication) is needed. I could provide you with more information and
source code if you are interested.