encrypted response (parameter)

the2nd at otpme.org the2nd at otpme.org
Wed Jan 21 21:58:24 CET 2015

On 2015-01-21 21:32, Alan DeKok wrote:
> On Jan 21, 2015, at 3:13 PM, the2nd at otpme.org wrote:
>> there is an ongoing discussion on the samba technical list if it would 
>> be possible to use OTPs with samba/windows clients and kerberos 
>> authentication for domain logins.
>   That sounds like a good idea.
>> one solution may be to use kerberos preauth data. this is some data 
>> (e.g. a timestamp) encrypted with the user password. the user/client 
>> sends this to the kerberos server which also knows the user password 
>> and thus can decrypt it. this is just the first step when doing 
>> kerberos authentication but as far as i know from the discussion it 
>> would be possible to plug into the auth process at this point to do 
>> external otp verification.
>   OK.
>> to make this possible the preauth data would be send to the external 
>> tool via a radius request. the external tool (e.g. via exec or 
>> rlm_python) would then do the verfication and send an Access-Accept 
>> response.
>   That should work.
>> the problem is that the kerberos server, by design, needs the 
>> clear-text password/OTP. this is why i'm asking about this feature as 
>> it is a bad idea to send it in clear-text.
>   Yes.  Clear-text is bad.  There are standard provisions for doing
> this in RADIUS.  See the Tunnel-Password attribute.  My suggestion
> would be to just re-use that.  Everyone understands it, and using it
> requires as few changes as possible.
>> currently there is no code that does this and it's not clear if there 
>> is someone who is willing to implement it.
>   If it’s RADIUS related, I can help...
>> but it would be a great improvement to samba and windows security and 
>> if i'm not completely wrong with my assumptions it would be possible 
>> to use it without any windows client modifications.
>   Someone would need to implement RADIUS, right?
>> you can find the discussion here: 
>> http://samba.2283325.n4.nabble.com/Re-Samba-OTP-authentication-td4679491.html
>> currently i have not brought radius into the discussion as i first 
>> wanted to ask on this list if something like this would be possible.
>   If you do end up using RADIUS, *please* include me in the overall
> design.  I can help design something that is (a) simple, (b)
> functional, and (c) easily implemented by everyone.

i personally would be very happy if anyone would do the job as i do not 
have the skill to do it. :)

currently i'm learning python as my first language and i've done some 
progess on this but i'm far away from being an experienced dev. ;)

as far as i know samba uses a fork of heimdal for kerberos 
authentication. Andrew Bartlett pointed me to the technical list and he 
was talking about some kdc plugin architecture. but he was talking about 
generating the OTPs from within the kdc. that's not whats we need for 

maybe it's a good idea that you join the discussion on the samba list? i 
guess i cannot help with anything related to samba/kerberos development. 

i can forward the latest mail to you if you want.


>   I’ve seen too many RADIUS designs where people just go implement
> some random thing.  It’s specific to one vendor, and makes life harder
> for everyone else.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list