[Samba] OTP authentication
the2nd at otpme.org
the2nd at otpme.org
Tue Jan 20 04:03:42 MST 2015
On 2015-01-20 02:18, Andrew Bartlett wrote:
> On Wed, 2015-01-14 at 17:53 +0100, the2nd at otpme.org wrote:
>> it's not a certain project that i need this for. its a general
>> question
>> if this would be possible. i think OTPs are a good idea, also for
>> windows logins.
>>
>> maybe some of the samba devs can shed some light on this?
>
> I'm seeing some work in upstream Heimdal, mirroring work being done in
> the Kerberos standards community for this kind of thing.
>
> If your two-factor is a smart-card, then this is all OK - you can
> already use a smart card to log into Samba. Likewise, if you can
> create
> a device that appears to be a smart card to windows (perhaps using a
> backchannel to get short-term certificates), but unlocks with a OTP,
> then you could use that.
>
> However, I've not seen anything that lets you use this at the standard
> login screen. If you can on the server-side, predict what the expected
> OTP will be, then we have a better chance (we can just generate the
> 'keys' on a just-in-time basis in our KDC plugin), but otherwise we
> have
> to do whatever the Microsoft GUI allows.
>
> If your clients are not Windows, then things get more flexible, as we
> could hook into the standard OTP support being added.
>
> I'm very interested in this area, and would love for Samba to be the
> very best it can be in supporting improved security like this.
>
> Andrew Bartlett
Thanks for the explanation. OTPme (the tool i'm currently writing:
http://www.otpme.org) supports motp (http://motp.sf.net) as
One-Time-Password tokens.
The design of motp allows the server side to generate a list of OTPs
(for a given time range) that could be used to verify the authentication
request.
E.g. for ntlm requests OTPme just generates a "response" for each OTP
from the list and checks it against the response from the request.
Some time ago i read something about using OTPs with kerberos
preauthentication data. If i remember correctly preauthentication data
was a string (e.g. timestamp) encrypted with the users key/OTP.
If this is the case it should be possible to do the same for a kerberos
request. Is this what you mean if you say "If you can on the
server-side, predict what the expected
OTP will be...)?
Also i would like to understand whats the concept of the kdc plugin you
are talking about. Is it intended to be used with external
authentication tools like OTPme? I would be really happy to make it
possible to authenticate windows users against OTPme.
regads
the2nd
More information about the samba-technical
mailing list