[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: One Time Password Support

On Jul 27, 2006, at 8:46 PM, Andrew Bartlett wrote:

> On Thu, 2006-07-27 at 16:47 -0700, Henry B. Hotz wrote:
>> I notice that Heimdal includes some OTP support, but it appears to
>> only be used by pop and ftpd and the like.
>> Anything like that for the KDC?
> Not built in, as far as I've seen.  I don't think it would that  
> hard to
> build, if you wanted to.

No, I don't think so.

You'd need to do an update every time a successful authentication  
happened, so use of iprop[d] becomes mandatory, instead of merely an  
alternative to hprop.  Since an automated process couldn't use this  
mechanism you don't have the performance impact of supporting a  
really heavy load, so that ought to be OK.

SecureID tokens would be OK, except for the security impact of the  
way RSA's API forces you to use them.  (RSA authenticates the KDC,  
not the end user.)
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu