[Samba] OTP authentication

the2nd at otpme.org the2nd at otpme.org
Tue Jan 20 04:03:42 MST 2015 

On 2015-01-20 02:18, Andrew Bartlett wrote:
> On Wed, 2015-01-14 at 17:53 +0100, the2nd at otpme.org wrote:
>> it's not a certain project that i need this for. its a general 
>> question
>> if this would be possible. i think OTPs are a good idea, also for
>> windows logins.
>> 
>> maybe some of the samba devs can shed some light on this?
> 
> I'm seeing some work in upstream Heimdal, mirroring work being done in
> the Kerberos standards community for this kind of thing.
> 
> If your two-factor is a smart-card, then this is all OK - you can
> already use a smart card to log into Samba.  Likewise, if you can 
> create
> a device that appears to be a smart card to windows (perhaps using a
> backchannel to get short-term certificates), but unlocks with a OTP,
> then you could use that.
> 
> However, I've not seen anything that lets you use this at the standard
> login screen.  If you can on the server-side, predict what the expected
> OTP will be, then we have a better chance (we can just generate the
> 'keys' on a just-in-time basis in our KDC plugin), but otherwise we 
> have
> to do whatever the Microsoft GUI allows.
> 
> If your clients are not Windows, then things get more flexible, as we
> could hook into the standard OTP support being added.
> 
> I'm very interested in this area, and would love for Samba to be the
> very best it can be in supporting improved security like this.
> 
> Andrew Bartlett


Thanks for the explanation. OTPme (the tool i'm currently writing: 
http://www.otpme.org) supports motp (http://motp.sf.net) as 
One-Time-Password tokens.

The design of motp allows the server side to generate a list of OTPs 
(for a given time range) that could be used to verify the authentication 
request.
E.g. for ntlm requests OTPme just generates a "response" for each OTP 
from the list and checks it against the response from the request.

Some time ago i read something about using OTPs with kerberos 
preauthentication data. If i remember correctly preauthentication data 
was a string (e.g. timestamp) encrypted with the users key/OTP.

If this is the case it should be possible to do the same for a kerberos 
request. Is this what you mean if you say "If you can on the 
server-side, predict what the expected
OTP will be...)?

Also i would like to understand whats the concept of the kdc plugin you 
are talking about. Is it intended to be used with external 
authentication tools like OTPme? I would be really happy to make it 
possible to authenticate windows users against OTPme.

regads
the2nd

More information about the samba-technical mailing list