[Freeipa-devel] OTP Design

Dmitri Pal dpal at redhat.com
Thu Jan 31 18:51:14 UTC 2013 

On 01/31/2013 04:34 AM, Petr Spacek wrote:
> On 30.1.2013 05:35, Dmitri Pal wrote:
>> Hello,
>>
>> We started to shape a page for the OTP prototyping work we are doing.
>> It is work in progress but it has enough information to share and
>> discuss.
>> http://freeipa.org/page/V3/OTP
>>
>> Comments welcome!
>
> I gave it a quick look. Generally, the core seems correct to me. I
> have only nitpicks:
>
> I see big amount of new ipa* specific attributes.
>
> How other OTP solutions store tokens/configuration? Is there any
> standard/semi-standard LDAP schema with attributes describing tokens?

No. Not that we are aware of.
>
> MIT KDC has own ("native") LDAP driver. 
Which they do not like and do not want to do more with it.
We effectively wrote our own.
> It would be nice to coordinate OID allocation and schema definition
> with MIT and share as much attributes as possible. Do they plan to
> support OTP configuration in LDAP? (I don't see any note about LDAP
> support in http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS .)

They do not plan. And we do not plan to extend the driver. This is the
reason for the current design.
>
> Is the author of
> https://fedoraproject.org/wiki/Features/EnterpriseTwoFactorAuthentication
> aware of our effort?
No I need to reach out to him.

>
> What about re-using http://www.dynalogin.org/ server for TOTP/HOTP
> implementation (rather than writing own OTP-in-389 implementation)? I
> haven't looked to the dynalogin code ...

The TOTP/HOTP algorithm is very simple there is really no much to reuse.
>
> Could be (old) draft "SASL and GSS-API Mechanism for Two Factor
> Authentication based on a Password and a One-Time Password (OTP):
> CROTP" from
> http://tools.ietf.org/html/draft-josefsson-kitten-crotp-00 interesting
> for us (in future)? Is it worth to resurrect this effort?
>
Not sure. We will see.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list