OpenAFS logo

May 24-28, 2010

University of Illinois at Urbana-Champaign logo

Thursday 27 May 1:30pm

Location: 1320 Digital Computer Lab

Speaker: Henry B. Hotz

Title: Beyond Passwords: Extending Kerberos Authentication Mechanisms


The Kerberos protocol for getting service tickets and access to services is very good, but most Kerberos (and AFS) deployments still use passwords to get the initial ticket-granting-ticket. Passwords have have obvious drawbacks, in particular being easily stolen.

The IETF has work on how the pre-authentication framework can be extended for other initial authentication methods. There are other standards (or draft standards) on using X509 certificates, and One Time Passwords as specific alternatives.

The MIT and Heimdal implementations both have some provisions for extensions to support new pre-auth mechanisms. I'll give an overview and describe my experiences to date with extending both of these implementations.