Thursday 27 May 1:30pm
Location: 1320 Digital Computer Lab
 |
|
 |
|
|
|
Location: 1320 Digital Computer Lab
Speaker: Henry B. Hotz
Title: Beyond Passwords: Extending Kerberos Authentication Mechanisms
Abstract:
The Kerberos protocol for getting service tickets and access to services is very good, but most Kerberos (and AFS) deployments still use passwords to get the initial ticket-granting-ticket. Passwords have have obvious drawbacks, in particular being easily stolen.
The IETF has work on how the pre-authentication framework can be extended for other initial authentication methods. There are other standards (or draft standards) on using X509 certificates, and One Time Passwords as specific alternatives.
The MIT and Heimdal implementations both have some provisions for extensions to support new pre-auth mechanisms. I'll give an overview and describe my experiences to date with extending both of these implementations.
Slides:
PDF