[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos tickets and one time passwords



On Fri, 28 Feb 2003, Brian May wrote:

> On Fri, Feb 28, 2003 at 08:17:37AM +0100, Andreas Haupt wrote:
> > for some reason we need a (telnet) login with one time passwords. The
> > problem is, that you don't get a kerberos ticket with the telnet supplied
> > with heimdal. Users have to do klog to work on their AFS home directories,
> > so the clear password is transmitted over the network.
> >
> > I thought of modifying the telnetd source to let it automatically do a
> > kinit. The keys of those users are stored in a keytab file on the telnet
> > server. All I have to do is something like "kinit -k -t <keytab file>"
> > after the user logged in properly with his one time password.
>
> I wouldn't modify telnetd, login might be better.

OK. This place looks better somehow.

> Why not just modify the users login scripts though?

Because those script are in AFS and without a token they cannot be read.
The keytab file should also only be readable by the user telnet runs with,
not by the user itself.

Thanks.
Andreas

-- 
Andreas Haupt         E-Mail: ahaupt@ifh.de
 DESY Zeuthen
 Platanenallee 6
 15738 Zeuthen