2FA with krb5
Simo Sorce
simo at redhat.com
Thu Oct 7 15:06:14 EDT 2021
On Thu, 2021-10-07 at 11:50 -0700, Russ Allbery wrote:
> Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
>
> > I am not sure of the client coverage of the OTP FAST factor, though.
>
> For what it's worth, although my pam-krb5 module implements FAST including
> both keyed and anonymous FAST, it does not implement FAST OTP. This is
> because (a) I didn't find any documentation of what I was supposed to do
> as a client (it's been years since I looked so this quite possibly has
> changed), and (b) attempting to set up a reasonable test environment
> looked painful. In particular, there was (at the time, again haven't
> checked recently) a lot of hand-waving about exactly to set up the RADIUS
> part, since MIT Kerberos just treats it as an oracle.
It is somewhat documented, but see below.
> I haven't checked if sssd supports FAST OTP. That seems much more likely
> given that they probably have enterprise use cases that would warrant
> implementing it.
It does, and FreeIPA implements the server part, so you can look there
for examples and testing capabilities if you are so inclined.
> I'd be happy to take pull requests since I try to make pam-krb5 reasonably
> completionist as a hobby (although be aware that it's a purely hobby
> project at this point), but they would need to include changes to the ci
> directory to set up the KDC and RADIUS server appropriately so that the
> test suite could do a proper end-to-end integration test.
HTH,
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
More information about the Kerberos
mailing list