Kerberos and one-time-passwords - Kerberos

This is a discussion on Kerberos and one-time-passwords - Kerberos ; If we allow users kerberised access to their home directories over NFS we would like them to be able to login to machines from remote hosts without exposing their kerberos keys. The only secure way seems to be via one-time-passwords. ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Kerberos and one-time-passwords

  1. Kerberos and one-time-passwords

    If we allow users kerberised access to their home directories over NFS
    we would like them to be able to login to machines from remote hosts
    without exposing their kerberos keys. The only secure way seems to be
    via one-time-passwords. Unfortunately our 'KDC' is Microsoft Active
    Directory so that isn't possible. Would it have been possible using
    MIT or Heimdal kerberos?

    Are there any alternatives whereby a trusted agent (daemon) can be
    given user's keytabs and can use them to get tickets on the user's
    behalf after the users authenticate using one time passwords? We
    already have a one time password PAM module so could use this in an
    implementation. But I am having difficulty seeing how it could be
    done securely. Does anyone have any experience of schemes like this?

    Ian Grant
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Kerberos and one-time-passwords

    Ian Grant writes:

    > If we allow users kerberised access to their home directories over NFS
    > we would like them to be able to login to machines from remote hosts
    > without exposing their kerberos keys. The only secure way seems to be
    > via one-time-passwords.


    I would use GSSAPI-authenticated ssh? Hm. I wonder if SecureCRT can do
    ticket forwarding, though. It would work great from Unix systems, at
    least.

    > Are there any alternatives whereby a trusted agent (daemon) can be
    > given user's keytabs and can use them to get tickets on the user's
    > behalf after the users authenticate using one time passwords?


    Well, you can use:

    http://www.eyrie.org/~eagle/software/kstart/

    to do the Kerberos authentication part if you work out the OTP part. But
    you have to trust the system with password equivalents for all of the
    users, which seems to somewhat defeat the point.

    --
    Russ Allbery (rra@stanford.edu)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Kerberos and one-time-passwords

    On Thu, 26 Apr 2007 11:08:49 -0700
    Russ Allbery wrote:

    > I would use GSSAPI-authenticated ssh? Hm. I wonder if SecureCRT can
    > do ticket forwarding, though. It would work great from Unix systems,
    > at least.


    By 'remote hosts' I mean machines not in our kerberos domain.

    ssh with GSS auth and ticket-forwarding works fine locally.

    > > Are there any alternatives whereby a trusted agent (daemon) can be
    > > given user's keytabs and can use them to get tickets on the user's
    > > behalf after the users authenticate using one time passwords?

    >
    > Well, you can use:
    >
    > http://www.eyrie.org/~eagle/software/kstart/
    >


    Thanks, that looks interesting. We have the OTP part in the form of
    this: http://www.cl.cam.ac.uk/~mgk25/otpw.html

    > to do the Kerberos authentication part if you work out the OTP part.


    > But you have to trust the system with password equivalents for all of
    > the users, which seems to somewhat defeat the point.


    Well, just the users who are away at the time. I wonder if we were to
    just keep renewing their credentials for them while they are away? But
    that exposes their files more than they may want.

    Most people who have replied to my questions seem to think it's better
    to let people type their kerberos key on remote hosts than it is to
    make them use a private ssh key from the remote site. I would disagree,
    except there seems to be no way to let them at their files once they've
    authenticated with a private key!

    Ian
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread