From owner-freebsd-security Wed Aug 22 9:53:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 5CC0037B433 for ; Wed, 22 Aug 2001 09:52:40 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id f7MGqco61050; Wed, 22 Aug 2001 12:52:38 -0400 (EDT) (envelope-from wollman) Date: Wed, 22 Aug 2001 12:52:38 -0400 (EDT) From: Garrett Wollman Message-Id: <200108221652.f7MGqco61050@khavrinen.lcs.mit.edu> To: Dave Ryan Cc: freebsd-security@FreeBSD.ORG Subject: kerberosV - SecurID In-Reply-To: <20010822174157.A28071@alpha.eng.eircom.net> References: <3B83A8BC.BCF790A0@karolinelund.dk> <20010822140020.A1911@alpha.eng.eircom.net> <200108221628.f7MGSud60744@khavrinen.lcs.mit.edu> <20010822174157.A28071@alpha.eng.eircom.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > Does anyone know if RSA Securid OTP's are used anywhere to enhance the ticket > granting phase of a kerberos authentication sequence? Yes. I believe one of the USDOE-funded National Labs is doing so. The process is called ``preauthentication'' in Kerberos terminology. A principal whose REQUIRES_PREAUTH flag is set in the KDC's database must prove to the KDC's satisfaction that it is who it claims to be before the KDC will issue a TGT. (The principal still must have a password which is used as the decryption key for the TGT.) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message