pam-krb5 4.5 released
Greg Hudson
ghudson at MIT.EDU
Fri Feb 10 16:12:19 EST 2012
On 02/10/2012 03:35 PM, Stephen Frost wrote:
> First- I *think* I've done everything correct to get pam-krb5 to
> use FAST (which is to say, set up k5start, verified it gets a
> valid ticket, configured krb5.conf w/ the fast_ccache parameter,
> etc), but I have no idea how to tell if it's *actually* getting
> used.
I think the best way to verify is using a packet trace. Trace logging
would ordinarily be the best way, but $KRB5_TRACE won't work with a
secure context and I don't think pam_krb5 has yet added an option to
turn out trace logging via the API.
If you use wireshark to decode the AS-REQ, you should see padata type
136 in the request if FAST is in use.
> Is there any way to eliminate the need for this first password?
Not with the securid-sam2 preauth module. It implements the
send-encrypted-sad method of SAM2 preauth, which requires the user's
long-term key to be used to encrypt the OTP value.
Work is underway on an implementation of a more modern FAST OTP
mechanism which will allow this. See
https://fedorahosted.org/AuthHub/ for more information.
More information about the Kerberos
mailing list