Adding Support for External (One Time) Passwords

["Henry B. Hotz" <hotz@jpl.nasa.gov>]

. . . like OTP's.  I know the top entry points.  I can find the right  
openssl routines and set breakpoints to get the whole call stack to  
find where the relevant code paths are.

. . . but I expect it's also useful to ask for advice and pointers  
here.  If the password (keys) aren't in the KDC's DB, but somewhere  
else, where do I need to hook in?

I'm thinking of some code that gets activated if the hw-preauth flag  
is set in the DB.  Where does it go?  Hmmm.

Maybe it really goes inside the HDB stuff, and it "makes up" a set of  
keys when the record is read?  But does the system read a record more  
than once per request?  (If so then by definition of "one time  
password" it gets a different answer the second time.)

Anybody care to stream-of-consciousness some comments?

Note:  I am not talking about a draft-ietf-krb-wg-kerberos- 
sam-03.txt, or any of the other OTP proposals.  I'm talking about an  
actual password that just happens to be determined by some external  
system.

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu