hi Tim, It's really nice. i could see that you are able to use hardware tokens with MIT kerberos. If u are comfortable, could you explain me the way you have done it. it will be great.
-gopal On 7/25/07, Tim Alsop <[EMAIL PROTECTED]> wrote: > > Gopal, > > It is not easy to do. If you are interested, we already have a solution > - see example below : > > # kinit talsop > Password for [EMAIL PROTECTED]: > Enter Passcode (PIN+Tokencode) or Tokencode from your SecurID Token: > # klist -ef > Cache Type: Kerberos V5 Credentials Cache > Cache File: /krb5/tmp/cc/krb5cc_0 > Cache Version: 0502 > Default Principal: [EMAIL PROTECTED] > > Valid From Expires Service > Principal > ---------------------------- ---------------------------- > ----------------- > Wed 25 Jul 2007 22:24:51 BST Thu 26 Jul 2007 06:24:41 BST > krbtgt/[EMAIL PROTECTED] > Session Key EType: 5 (DES3-CBC-MD5) > Ticket EType: 5 (DES3-CBC-MD5) > Ticket Flags: IHA > # > > Note the H flag in ticket flags - this indicates that hardware token was > used to obtain the TGT. > > Thanks, > Tim > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Gopal Paliwal > Sent: 25 July 2007 21:31 > To: kerberos@mit.edu > Subject: Implementing OTP mechanism with existing kerberos > > Hi, > > I am implementing OTP mechanism in the existing kerberos. > I have set up pre-auth mechanism to authenticate the clients. > Now, the user will be asked password+OTP instead of just password. i > will be > generating this OTP with a hardware token. > > Also, i will be encrypting time-stamp with password & OTP. > At the kerberos authentication server, I will be able to generate a OTP. > > Now, the problem which I will face is that kerberos doesn't store > passwords > in clear form. & I somehow need to form a key at kerberos authentication > server side to decrypt the time-stamp sent in the AS_REQ message by > user. > That key will be made up of OTP + password. > Can someone point me out the mechanism as to how can I obtain password > in > clear form or other way with which I will be able to resolve my doubt. > > -gopal > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos