I have rebased Sumit's AuthHub yubikey plugin onto a new repo here:
https://github.com/npmccallum/krb5-anonsvn/tree/AuthHub
This will allow proper merging with the upstream github repo. Let me
know if I've missed anything.
Nathaniel
Hi list,
I recently pushed[0] some code for putting the nonce in the PA-FX-COOKIE
(to branch otp-wip of git://git.nordu.net/krb-otp.git) It took some
changes to generic FAST code though. Please let me know if you think
this isn't a good way of solving it. For example, I can't really see
how this is supposed to work with authentications sets.
We'll definitely have to think more about how the nonce should be
constructed. As mentioned in kdc_preauth_get_cookie():
If cookies are used for real, versioning so that KDCs
can be upgraded, keying, expiration and many other issues need
to be considered.
[0] http://git.nordu.net/?p=krb-otp.git;a=commit;h=c8ca1a83805ce967bcf251ff553f…
Thanks,
Linus
Hi,
There's a naïve plugin system in place in the otp branch of
git://git.nordu.net/krb-otp.git, based on the AuthHub code.
It's all static and a bit clumsy a.t.m. with the OTP FAST plugin
depending on everything that its "methods" depend on.
The interface is agnostic to Kerberos implementation in an attempt to
make OTP methods easier to deploy. Whether this holds water is
something yet to be seen. Configuration is split up into kdb and config
(krb5.conf) with the kdb per-principal data in turn split up in two
parts. One entry (krbExtraData in MIT) is used by the OTP plugin for
selecting OTP method. The other is an opaque blob not interpreted by
generic code, as earlier suggested by Dmitri
Some error and memory handling cleanup has been done but there are still
lots of issues with how requests are verified by the KDC. Looking into
this shortly.
There's a simple plugin using libcurl to do http(s) basic authentication
in m_basicauth.[ch].
The original Yubikey functionality can be found in m_ykclient.[ch].
It's all mostly untested.