Kerberos OTP with FreeRadius
Brennecke, Simon
simon.brennecke at sap.com
Fri Jul 7 01:54:19 EDT 2017
Hi all,
I'm trying to configure a MIT Kerberos server (I belive version 1.15) to do OTP preauth against a FreeRadius server on a Debian 9 host.
What I did so far was:
1) installed and configured FreeRadius to only do OTP with google-authenticator via PAM => works
2) installed and configured MIT kerberos with a couple of principials => "kinit -p simon" works
3) I followed https://web.mit.edu/kerberos/krb5-1.13/doc/admin/otp.html
4) I realized that I probably also need PKINIT for FAST to work, so I also followed https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html, but only the server portion. I skipped the client part. I was using my own CA.
5) I did 'set_string simon otp "[]"' and "modprinc +need_pre_auth simon"
6) restarted KDC
Here is were I am a bit unsure now. I kinda expect "kinit -p simon" now to either ask me for my password AND my OTP token, or at least fail with some error message. But instead it succeeds if I just enter my password.
>From the logs I can see, that the OTP module gets loaded and when I do kinit that some sort of PREAUTH is required, but apparently it is handled successfully and completly without OTP token.
I then started to fiddle with the "authentication indicators", but I'm afraid I do not properly understand their part in all this.
Can somebody please advise me what is missing?
Also can sombody explain how this integrates with PAM-kerberos on a client machine? Will PAM then prompt the user for the OTP token and password?
Many thanks & Regards
Simon
More information about the Kerberos
mailing list