[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adding Support for External (One Time) Passwords

On Oct 4, 2007, at 12:30 PM, Douglas E. Engert wrote:

> Henry B. Hotz wrote:
>> . . . like OTP's.  I know the top entry points.  I can find the  
>> right openssl routines and set breakpoints to get the whole call  
>> stack to find where the relevant code paths are.
>> . . . but I expect it's also useful to ask for advice and pointers  
>> here.  If the password (keys) aren't in the KDC's DB, but  
>> somewhere else, where do I need to hook in?
>> I'm thinking of some code that gets activated if the hw-preauth  
>> flag is set in the DB.  Where does it go?  Hmmm.
>> Maybe it really goes inside the HDB stuff, and it "makes up" a set  
>> of keys when the record is read?  But does the system read a  
>> record more than once per request?  (If so then by definition of  
>> "one time password" it gets a different answer the second time.)
>> Anybody care to stream-of-consciousness some comments?
> tomorrow, I am off to play some golf, it 80 degrees out and maybe  
> the last good day.

OK, OK, I suppose I asked for that.  ;-)

>> Note:  I am not talking about a draft-ietf-krb-wg-kerberos- 
>> sam-03.txt, or any of the other OTP proposals.  I'm talking about  
>> an actual password that just happens to be determined by some  
>> external system.

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu