2FA with krb5

[Dan Mahoney (Gushi)]

All,

We use Kerberos but NOT LDAP at the day job.

We'd like to be able to leverage 2fa for some services (admins) and some 
services (ssh logins) but not have to pump a 2fa code into, say, our mail 
applications.  Is there a way to make the acquisition of a TGT (for GSSAPI 
authentication) vs Password Authentication require 2fa?

That's complication number one.

Complication number 2 is something like "SecurID is *expensive* for a 
fairly small (<10) admin team."

Is there any reasonable support for off-the-shelf TOTP or HOTP 
authenticators, i.e. google authenticator or whatnot?  If so, is there 
support to have a user have *multiple* available authenticators, such that 
one can be expired and others not?

Googling this all gets me a bunch of (some older, some newer articles 
about the varying states of SPAKE and the like), and...a whole bunch of 
ads now being shown for startups that want to do it differently but I'm 
SURE no way to integrate with this.

The final problem, of course, is that if I make all my KDC's 2fa-aware on 
their own, there's no communication of double-use of a token, unless I 
centralize things, which breaks the purpose of having geo-diverse KDC's. 
I don't suppose the kerberos db replication mechanism has anything that 
can also share this state?

This is all pie-in-the-sky stuff, but practical answers "just an FAQ" are 
hard to find.

-Dan

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
FB:  fb.com/DanielMahoneyIV
LI:   linkedin.com/in/gushi
Site:  http://www.gushi.org
---------------------------