[EXTERNAL] Re: FAST OTP

Dmitri Pal dpal at redhat.com
Sun Aug 28 17:57:45 EDT 2016 

On 08/27/2016 09:10 PM, Machin, Glenn D wrote:
> Thanks to Dio I was able to get the Pkinit Anonymous working to enable the armor key.   I noticed that RedHat 7 supports OTP in Kerberos and the kinit works fine.   You do need to force TCP for Kerberos,  since the radius transaction can take longer than a second to complete at times. Using UDP I was getting a failure on the RH7 system (a VM on my laptop) because the initial AS_REQ did not complete until after a second AS_REQ was sent, which failed, while the first came back successful.   
>
> Next step was to be able to use it for login/sudo.    I modified the pam_krb5 step to below in system-auth.   What I see on the KDC are only encrypted timestamp preauth.  
>
> Can RHEL7 pam_krb5 do OTP?
>
>        auth        [success=done authinfo_unavail=ignore new_authtok_reqd=ok ignore=ignore default=die]    pam_krb5.so no_initial_prompt no_subsequent_prompt armor=true armor_strategy=pkinit

SSSD rather than pam_krb5.
https://fedorahosted.org/sssd/

You an fact need to use TCP for the reasons you described and SSSD does
it for you.
RHEL 7 also has IdM (open source project is FreeIPA
http://www.freeipa.org/page/Main_Page) that includes MIT Kerberos server
as part of its domain controller offering which is free.
All the manual things you are exploring now are taken care for you in
RHEL 7, Fedora and CentOS using IdM/FreeIPA and its client that
configures SSSD, Kerberos client, DNS and other parts of the system.

Thanks
Dmitri

>
> Any help would be appreciated.
>
>
> Glenn
>
>
>
>
> On 8/26/16, 4:09 PM, "kerberos-bounces at mit.edu on behalf of Dmitri Pal" <kerberos-bounces at mit.edu on behalf of dpal at redhat.com> wrote:
>
>     On 08/26/2016 04:38 PM, Diogenes Jesus wrote:
>     >
>     >> I was able to configure a krb5-1.14.2 KDC to use FAST OTP with an RSA Authentication Manager Radius server.
>     >>
>     >> I have a couple of questions:
>     >>
>     >>
>     >> ·         FAST requires an existing ticket cache.  If you need a TGT to get a FAST OTP TGT how do you do that?
>     > One way is to enable Anonymous support (http://k5wiki.kerberos.org/wiki/Anonymous_kerberos) - DONT forget to restrict anonymous to tgt only on your kdcs!
>     >
>     > Dio
>     >
>     > ________________________________________________
>     > Kerberos mailing list           Kerberos at mit.edu
>     > https://mailman.mit.edu/mailman/listinfo/kerberos
>     >
>     >
>     OK you can use host key to armor the FAST tunnel for a client system if
>     your host is also a part of the Kerberos realm.
>     You can check FreeIPA project, there all these pieces are integrated and
>     automated.
>     
>     -- 
>     Thank you,
>     Dmitri Pal
>     
>     Engineering Director, Identity Management and Platform Security
>     Red Hat, Inc.
>     
>     ________________________________________________
>     Kerberos mailing list           Kerberos at mit.edu
>     https://mailman.mit.edu/mailman/listinfo/kerberos
>     
>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>


-- 
Thank you,
Dmitri Pal

Engineering Director, Identity Management and Platform Security
Red Hat, Inc.

More information about the Kerberos mailing list