On Tue, May 17, 2011 at 12:15:34PM +0200, Linus Nordberg wrote:
Hi list,
I recently pushed[0] some code for putting the nonce in the PA-FX-COOKIE
(to branch otp-wip of
git://git.nordu.net/krb-otp.git). It took some
changes to generic FAST code though. Please let me know if you think
this isn't a good way of solving it. For example, I can't really see
how this is supposed to work with authentications sets.
I wonder if similar would be possilbe by adding KRB5_PADATA_FX_COOKIE to
server_supported_pa_types. If this really works server_verify_preauth()
should be called twice, once with the cookie and the other time with the
OTP REQ data. Since we don't know in which order the data item will come
we have to safe them and can check the nonce only in the second run.
bye,
Sumit
We'll definitely have to think more about how the nonce should be
constructed. As mentioned in kdc_preauth_get_cookie():
If cookies are used for real, versioning so that KDCs
can be upgraded, keying, expiration and many other issues need
to be considered.
[0]
http://git.nordu.net/?p=krb-otp.git;a=commit;h=c8ca1a83805ce967bcf251ff55...
Thanks,
Linus
_______________________________________________
authhub-devel mailing list
authhub-devel(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/authhub-devel