[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adding Support for External (One Time) Passwords





Henry B. Hotz wrote:
> . . . like OTP's.  I know the top entry points.  I can find the right 
> openssl routines and set breakpoints to get the whole call stack to find 
> where the relevant code paths are.
> 
> . . . but I expect it's also useful to ask for advice and pointers 
> here.  If the password (keys) aren't in the KDC's DB, but somewhere 
> else, where do I need to hook in?
> 
> I'm thinking of some code that gets activated if the hw-preauth flag is 
> set in the DB.  Where does it go?  Hmmm.
> 
> Maybe it really goes inside the HDB stuff, and it "makes up" a set of 
> keys when the record is read?  But does the system read a record more 
> than once per request?  (If so then by definition of "one time password" 
> it gets a different answer the second time.)
> 
> Anybody care to stream-of-consciousness some comments?

tomorrow, I am off to play some golf, it 80 degrees out and maybe the last good day.

> 
> Note:  I am not talking about a draft-ietf-krb-wg-kerberos-sam-03.txt, 
> or any of the other OTP proposals.  I'm talking about an actual password 
> that just happens to be determined by some external system.
> 
> ------------------------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444