encrypted response (parameter)
the2nd at otpme.org
the2nd at otpme.org
Wed Jan 21 21:13:33 CET 2015
On 2015-01-21 20:38, Alan DeKok wrote:
> On Jan 21, 2015, at 2:24 PM, the2nd at otpme.org wrote:
>> is it possible to add an attribute to an Access-Accept packet that is
>> encrypted? just like the user password in the Access-Request?
> Yes. But the RADIUS client has to be able to understand it. Which
> means encrypting the attribute will likely do nothing.
> What do you want to accomplish, and why?
> Alan DeKok.
> List info/subscribe/unsubscribe? See
there is an ongoing discussion on the samba technical list if it would
be possible to use OTPs with samba/windows clients and kerberos
authentication for domain logins.
one solution may be to use kerberos preauth data. this is some data
(e.g. a timestamp) encrypted with the user password. the user/client
sends this to the kerberos server which also knows the user password and
thus can decrypt it. this is just the first step when doing kerberos
authentication but as far as i know from the discussion it would be
possible to plug into the auth process at this point to do external otp
to make this possible the preauth data would be send to the external
tool via a radius request. the external tool (e.g. via exec or
rlm_python) would then do the verfication and send an Access-Accept
the problem is that the kerberos server, by design, needs the clear-text
password/OTP. this is why i'm asking about this feature as it is a bad
idea to send it in clear-text.
currently there is no code that does this and it's not clear if there is
someone who is willing to implement it.
but it would be a great improvement to samba and windows security and if
i'm not completely wrong with my assumptions it would be possible to use
it without any windows client modifications.
you can find the discussion here:
currently i have not brought radius into the discussion as i first
wanted to ask on this list if something like this would be possible.
More information about the Freeradius-Users