[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Adding Support for External (One Time) Passwords

. . . like OTP's.  I know the top entry points.  I can find the right  
openssl routines and set breakpoints to get the whole call stack to  
find where the relevant code paths are.

. . . but I expect it's also useful to ask for advice and pointers  
here.  If the password (keys) aren't in the KDC's DB, but somewhere  
else, where do I need to hook in?

I'm thinking of some code that gets activated if the hw-preauth flag  
is set in the DB.  Where does it go?  Hmmm.

Maybe it really goes inside the HDB stuff, and it "makes up" a set of  
keys when the record is read?  But does the system read a record more  
than once per request?  (If so then by definition of "one time  
password" it gets a different answer the second time.)

Anybody care to stream-of-consciousness some comments?

Note:  I am not talking about a draft-ietf-krb-wg-kerberos- 
sam-03.txt, or any of the other OTP proposals.  I'm talking about an  
actual password that just happens to be determined by some external  

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu