[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: One Time Password Support

To: Andrew Bartlett <abartlet@samba.org>
Subject: Re: One Time Password Support
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Fri, 28 Jul 2006 11:03:55 -0700
Cc: Heimdal-discuss list <heimdal-discuss@sics.se>
In-Reply-To: <1154058379.29403.95.camel@localhost.localdomain>
References: <19D35E55-9C85-4D5F-9014-F4A457E6D263@jpl.nasa.gov> <1154058379.29403.95.camel@localhost.localdomain>
Sender: owner-heimdal-discuss@sics.se

On Jul 27, 2006, at 8:46 PM, Andrew Bartlett wrote:

> On Thu, 2006-07-27 at 16:47 -0700, Henry B. Hotz wrote:
>> I notice that Heimdal includes some OTP support, but it appears to
>> only be used by pop and ftpd and the like.
>>
>> Anything like that for the KDC?
>
> Not built in, as far as I've seen.  I don't think it would that  
> hard to
> build, if you wanted to.

No, I don't think so.

You'd need to do an update every time a successful authentication  
happened, so use of iprop[d] becomes mandatory, instead of merely an  
alternative to hprop.  Since an automated process couldn't use this  
mechanism you don't have the performance impact of supporting a  
really heavy load, so that ought to be OK.

SecureID tokens would be OK, except for the security impact of the  
way RSA's API forces you to use them.  (RSA authenticates the KDC,  
not the end user.)
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

References:
- One Time Password Support
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: One Time Password Support
  - From: Andrew Bartlett <abartlet@samba.org>

Prev by Date: Re: One Time Password Support
Next by Date: Re: ssh-askpass | kinit
Prev by thread: Re: One Time Password Support
Next by thread: No Subject
Index(es):
- Date
- Thread