[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adding Support for External (One Time) Passwords

To: "Douglas E. Engert" <deengert@anl.gov>
Subject: Re: Adding Support for External (One Time) Passwords
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Thu, 4 Oct 2007 12:40:33 -0700
Cc: heimdal-discuss@sics.se
In-Reply-To: <47053F42.4060909@anl.gov>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <502259CD-4DE8-4197-A672-D3C3E8538416@jpl.nasa.gov> <47053F42.4060909@anl.gov>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>


On Oct 4, 2007, at 12:30 PM, Douglas E. Engert wrote:

>
>
> Henry B. Hotz wrote:
>> . . . like OTP's.  I know the top entry points.  I can find the  
>> right openssl routines and set breakpoints to get the whole call  
>> stack to find where the relevant code paths are.
>> . . . but I expect it's also useful to ask for advice and pointers  
>> here.  If the password (keys) aren't in the KDC's DB, but  
>> somewhere else, where do I need to hook in?
>> I'm thinking of some code that gets activated if the hw-preauth  
>> flag is set in the DB.  Where does it go?  Hmmm.
>> Maybe it really goes inside the HDB stuff, and it "makes up" a set  
>> of keys when the record is read?  But does the system read a  
>> record more than once per request?  (If so then by definition of  
>> "one time password" it gets a different answer the second time.)
>> Anybody care to stream-of-consciousness some comments?
>
> tomorrow, I am off to play some golf, it 80 degrees out and maybe  
> the last good day.

OK, OK, I suppose I asked for that.  ;-)

>> Note:  I am not talking about a draft-ietf-krb-wg-kerberos- 
>> sam-03.txt, or any of the other OTP proposals.  I'm talking about  
>> an actual password that just happens to be determined by some  
>> external system.

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

References:
- Adding Support for External (One Time) Passwords
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: Adding Support for External (One Time) Passwords
  - From: "Douglas E. Engert" <deengert@anl.gov>

Prev by Date: Re: Adding Support for External (One Time) Passwords
Next by Date: Re: pkinit and OpenPGP Smartcard
Prev by thread: Re: Adding Support for External (One Time) Passwords
Next by thread: Vista SP1 + Kerberos problem
Index(es):
- Date
- Thread