pam-krb5 4.5 released

Greg Hudson ghudson at MIT.EDU
Fri Feb 10 16:12:19 EST 2012


On 02/10/2012 03:35 PM, Stephen Frost wrote:
> First- I *think* I've done everything correct to get pam-krb5 to
> use FAST (which is to say, set up k5start, verified it gets a
> valid ticket, configured krb5.conf w/ the fast_ccache parameter,
> etc), but I have no idea how to tell if it's *actually* getting
> used.

I think the best way to verify is using a packet trace.  Trace logging
would ordinarily be the best way, but $KRB5_TRACE won't work with a
secure context and I don't think pam_krb5 has yet added an option to
turn out trace logging via the API.

If you use wireshark to decode the AS-REQ, you should see padata type
136 in the request if FAST is in use.

> Is there any way to eliminate the need for this first password?

Not with the securid-sam2 preauth module.  It implements the
send-encrypted-sad method of SAM2 preauth, which requires the user's
long-term key to be used to encrypt the OTP value.

Work is underway on an implementation of a more modern FAST OTP
mechanism which will allow this.  See
https://fedorahosted.org/AuthHub/ for more information.


More information about the Kerberos mailing list