"Password validation services" -- how can we avoid creating more of them?

Jason Dusek jason.dusek at gmail.com
Thu Dec 28 20:10:05 PST 2006


On 12/28/06, David Wolfskill <david at catwhisker.org> wrote:
> My recollection is that there are no authentication mechanisms
> specified by Kerbeos per se.

There are two steps to Kerberos authentication: authenticating to the
Kerberos server, and authenticating to a 'Kerberized' service -- a
service that trusts the Kerberos server for authentication. When you
authenticate to the Kerberos server, you have a lot of choices -- x509
certificates (University of Michigan has done this, I believe),
password authentication (probably the most common choice), &c. The
Kerberos server gives you a 'ticket granting ticket' (we could call it
a key) and from that point forward, it's all tickets until your ticket
granting ticket expires.

So, most Kerberos installations combine password authentication (to
the Kerberos server) with key authentication (to Kerberized services
-- Apache, DoveCot, SSH, PAM).

> Is there some way to usee 2-factor authentication mechanisms for *all*
> remote access?  Not just SSH; that works fine:  what about HTTPS?
> IMAPS?  Any others?

You could Kerberize all these services, and then set up your Kerberos
Domain Controller to use two factor authentication. With Apache, for
example, use mod_krb5, and then get Mozilla with the integrated auth
extenstion. You can find out more about that at:

    http://www.mozilla.org/projects/netlib/integrated-auth.html

Some smart people have posted some stuff, available via Google search,
about two factor authentication and Kerberos -- it's been done, I
gather. I wish I could tell you more -- I love this kind of stuff and
was working on it about 6 months ago -- but I've never set up two
factor authentication with Kerberos (or with anything else, for that
matter).
-- 
_jsn



More information about the Baylisa mailing list