encrypted response (parameter)

the2nd at otpme.org the2nd at otpme.org
Wed Jan 21 21:13:33 CET 2015

On 2015-01-21 20:38, Alan DeKok wrote:
> On Jan 21, 2015, at 2:24 PM, the2nd at otpme.org wrote:
>> is it possible to add an attribute to an Access-Accept packet that is 
>> encrypted? just like the user password in the Access-Request?
>   Yes.  But the RADIUS client has to be able to understand it.  Which
> means encrypting the attribute will likely do nothing.
>   What do you want to accomplish, and why?
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

there is an ongoing discussion on the samba technical list if it would 
be possible to use OTPs with samba/windows clients and kerberos 
authentication for domain logins.

one solution may be to use kerberos preauth data. this is some data 
(e.g. a timestamp) encrypted with the user password. the user/client 
sends this to the kerberos server which also knows the user password and 
thus can decrypt it. this is just the first step when doing kerberos 
authentication but as far as i know from the discussion it would be 
possible to plug into the auth process at this point to do external otp 

to make this possible the preauth data would be send to the external 
tool via a radius request. the external tool (e.g. via exec or 
rlm_python) would then do the verfication and send an Access-Accept 

the problem is that the kerberos server, by design, needs the clear-text 
password/OTP. this is why i'm asking about this feature as it is a bad 
idea to send it in clear-text.

currently there is no code that does this and it's not clear if there is 
someone who is willing to implement it.

but it would be a great improvement to samba and windows security and if 
i'm not completely wrong with my assumptions it would be possible to use 
it without any windows client modifications.

you can find the discussion here: 

currently i have not brought radius into the discussion as i first 
wanted to ask on this list if something like this would be possible.


More information about the Freeradius-Users mailing list