Re: Kerberos tickets and one time passwords

[Daniel Kouril <kouril@ics.muni.cz>]

On Mon, Mar 10, 2003 at 01:07:36PM +0100, Andreas Haupt wrote:
> So how does it work? How can you decrypt the answer of a TGS request from
> the authentication server? This answer is encrypted with the user's key.
> So you either need the user's password or take the key directly from a
> keytab file.

The login program doesn't contact KDC directly, but a separate service is
used to verify the OTP and creating tickets. The whole scenario is as follows:
1. User uses non-kerberized telnet client and pass the OTP to the telnet
   server.
2. The login program called by the telnet server contacts our service
   requesting ticket for that user, OTP is sent as a part of the request.
3. The service verifies the OTP, contacts the 525 daemon (running on the kdc
   machine) asking a ticket for that user. This 525 request is secured with 
   the service credential of our service.
4. Received ticket along with the corresponding session key is sent back to
   the login program, which stores the the credentials on a disk. This
   communication is secured with SSL. After receiving the ticket the user
   user is allowed to access the server.

--
Dan