Re: Kerberos tickets and one time passwords

[Andreas Haupt <ahaupt@ifh.de>]

On Mon, 10 Mar 2003, Daniel Kouril wrote:

> On Mon, Mar 10, 2003 at 11:25:18AM +0100, Andreas Haupt wrote:
> > On Mon, 10 Mar 2003, Daniel Kouril wrote:
> >
> > > (sorry for the delay, I was on vacation last week)
> > > We have developed a service for "transformation" of OTP's to krb5 tickets,
> > > it's based on SASL and krb525 mechanisms. This way we are able to create krb5
> > > tickets for users authenticated via OTP without requiring the users to store
> > > their keys into keytabs. We also adapted the libotp library from Heimdal to
> > > support this service, so only relinking of the login program (which supports
> > > OTP authentication) is needed. I could provide you with more information and
> > > source code if you are interested.
> >
> > This sounds very interesting! But how does it work? Are the otps derived
> > from the user's key?
>
> No, the user first has to initialize OTP record on the server via
> /usr/heimdal/bin/otp (or make the administrator do it). So the OTP values are
> not tied with the user's long-term key and can be changed arbitrarily.

So how does it work? How can you decrypt the answer of a TGS request from
the authentication server? This answer is encrypted with the user's key.
So you either need the user's password or take the key directly from a
keytab file.

Greetings

-- 
Andreas Haupt         E-Mail: ahaupt@ifh.de
 DESY Zeuthen
 Platanenallee 6
 15738 Zeuthen