encrypted response (parameter)

Alan DeKok aland at deployingradius.com
Wed Jan 21 21:32:21 CET 2015 

On Jan 21, 2015, at 3:13 PM, the2nd at otpme.org wrote:
> there is an ongoing discussion on the samba technical list if it would be possible to use OTPs with samba/windows clients and kerberos authentication for domain logins.

  That sounds like a good idea.

> one solution may be to use kerberos preauth data. this is some data (e.g. a timestamp) encrypted with the user password. the user/client sends this to the kerberos server which also knows the user password and thus can decrypt it. this is just the first step when doing kerberos authentication but as far as i know from the discussion it would be possible to plug into the auth process at this point to do external otp verification.

  OK.

> to make this possible the preauth data would be send to the external tool via a radius request. the external tool (e.g. via exec or rlm_python) would then do the verfication and send an Access-Accept response.

  That should work.

> the problem is that the kerberos server, by design, needs the clear-text password/OTP. this is why i'm asking about this feature as it is a bad idea to send it in clear-text.

  Yes.  Clear-text is bad.  There are standard provisions for doing this in RADIUS.  See the Tunnel-Password attribute.  My suggestion would be to just re-use that.  Everyone understands it, and using it requires as few changes as possible.

> currently there is no code that does this and it's not clear if there is someone who is willing to implement it.

  If it’s RADIUS related, I can help...

> but it would be a great improvement to samba and windows security and if i'm not completely wrong with my assumptions it would be possible to use it without any windows client modifications.

  Someone would need to implement RADIUS, right?

> you can find the discussion here: http://samba.2283325.n4.nabble.com/Re-Samba-OTP-authentication-td4679491.html
> 
> currently i have not brought radius into the discussion as i first wanted to ask on this list if something like this would be possible.

  If you do end up using RADIUS, *please* include me in the overall design.  I can help design something that is (a) simple, (b) functional, and (c) easily implemented by everyone.

  I’ve seen too many RADIUS designs where people just go implement some random thing.  It’s specific to one vendor, and makes life harder for everyone else.

  Alan DeKok.

More information about the Freeradius-Users mailing list