On Fri, Jul 07, 2017 at 11:04:47AM +0200, Felix Weissbeck wrote: > > The "problem" hereby is, that you can now obtain a kerberos ticket with your > second factor alone; so you could configure PAM to successfully authenticate > with password+token.
Yes, the FAST/OTP preauthentication mechanism from RFC 6560 uses only the OTP factor, which makes it a great solution if you already have deployed OTP infrastructure and need to add a kerberos solution for your site. For using OTP as a second factor, it's not really an option. The current thinking in this space is that the SPAKE preauth scheme in https://datatracker.ietf.org/doc/draft-ietf-kitten-krb-spake-preauth/ will fill this void, allowing a second factor to be mixed in with a PAKE password-based preauth, that does not expose anything encrypted in password-based keys directly on the wire (so as to stymie brute-force attacks). -Ben ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
