On Mon, Oct 30, 2017 at 09:05:10AM -0700, Pallissard, Matthew wrote: > > any ideas how to implement OTP for Windows with MIT kerberos client? > > possible? > > I don't know if KFW 4.1 supports OTP but what I do know is that in the past I > couldn't get PKINIT working with KFW. I had to implement heimdal on the > client end. > > https://www.mail-archive.com/kfwdev@mit.edu/msg00822.html > > Could be related. Someone here could probably speak to that better than > myself though.
It's quite related, yes. The FAST OTP mechanism of RFC 6560 requires a FAST tunnel to exist over which the OTP value is sent. Generally this tunnel is obtained via anonymous PKINIT, but PKINIT of all forms is not currently implemented in KfW. In principle, the needed FAST tunnel could be obtained in other ways, e.g., via a machine keytab, but the number of situations in which these other methods would actually be useful are quite limited. -Ben ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos