[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos tickets and one time passwords

On Mon, Mar 10, 2003 at 11:25:18AM +0100, Andreas Haupt wrote:
> On Mon, 10 Mar 2003, Daniel Kouril wrote:
> > (sorry for the delay, I was on vacation last week)
> > We have developed a service for "transformation" of OTP's to krb5 tickets,
> > it's based on SASL and krb525 mechanisms. This way we are able to create krb5
> > tickets for users authenticated via OTP without requiring the users to store
> > their keys into keytabs. We also adapted the libotp library from Heimdal to
> > support this service, so only relinking of the login program (which supports
> > OTP authentication) is needed. I could provide you with more information and
> > source code if you are interested.
> This sounds very interesting! But how does it work? Are the otps derived
> from the user's key?

No, the user first has to initialize OTP record on the server via
/usr/heimdal/bin/otp (or make the administrator do it). So the OTP values are
not tied with the user's long-term key and can be changed arbitrarily.