Hi, I wish to perform different types of preauth-mechanism for different users. THe implementation will be such that, some users will be authenticated through the normal password encrypted timestamp, some users will be authenticated through the OTP based mechanism whereas some users will require both types of pre-authentication. I suppose that the kerberos by default supports the password-encrypted timestamp because when we do modprinc +requires_preauth priciple, it automatically activates the password-encrypted timestamp feature for that particular user and it doesn't give us any option as of now to specify which type of authentication is needed. Is there any way where we can specify different preauth mechanisms for the different users.
I further wish to know how flexible it is to use the PADATA field in KRB5_AS_REQ to send the multiple sequence of preauth type-value pairs. For ex. one sequence of sending type(value) pair is PA_ENC_TIMESTAMP(value of passwd encrypted timestamp) and the other type(value) pair in the same request will be lets say PA_ENC_OTP(value of OTP encrypted timestamp). Authentication server will do the client look up and from the preauth mechanism set for that particular user, it will generate proper preauth-error. Also, i wish to know whether authentication server uses LDAP or DB for storing principal names and attributes by default. Thanks, gopal ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
