On Mon, Oct 30, 2017 at 9:11 PM, Benjamin Kaduk <ka...@mit.edu> wrote:
> On Mon, Oct 30, 2017 at 09:05:10AM -0700, Pallissard, Matthew wrote: > > > any ideas how to implement OTP for Windows with MIT kerberos client? > possible? > > > > I don't know if KFW 4.1 supports OTP but what I do know is that in the > past I couldn't get PKINIT working with KFW. I had to implement heimdal on > the client end. > > > > https://www.mail-archive.com/kfwdev@mit.edu/msg00822.html > > > > Could be related. Someone here could probably speak to that better than > myself though. > > It's quite related, yes. > > The FAST OTP mechanism of RFC 6560 requires a FAST tunnel to exist over > which the OTP value is sent. Generally this tunnel is obtained via > anonymous PKINIT, but PKINIT of all forms is not currently implemented > in KfW. In principle, the needed FAST tunnel could be obtained in > other ways, e.g., via a machine keytab, but the number of situations > in which these other methods would actually be useful are quite limited. > This is why moving to SPAKE will make OTP easier to accomplish and support with KfW. > > -Ben > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > > -- Thank you, Dmitri Pal Engineering Director, Identity Management and Platform Security Red Hat, Inc. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos