OTP, RADIUS, timeouts

Mon Dec 22 05:49:54 EST 2014

(Not subscribed, please Cc me on replies)

Hi all,

I'm trying to set up the MIT KDC with support for OTP tokens (yubikeys
in my case, as a single factor, at least initially).  I have the entire
bit from the RADIUS server and backwards working correctly, but I can't
get the KDC to see replies from the RADIUS server, it complains about
«connection timed out».  Platform in Debian jessie with the packaged
1.12.1, but I see the same problem with a 1.13 tar.gz build.

The problem also shows itself when running the t_otp test (where I had
to change the type of User-Password to octets instead of string, but I
doubt that's the problem):

: tfheen at xoog ..5-1.12.1+dfsg/build/tests > PYTHONPATH=../../src/util VALGRIND="" python ../../src/tests/t_otp.py -v
*** [1] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/dbutil/kdb5_util create -W -s -P master
Loading random data
Initializing database '/etc/krb5kdc/principal' for realm 'KRBTEST.COM',
master key name 'K/M at KRBTEST.COM'
*** [1] Completed with return code 0
*** [2] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/cli/kadmin.local -q addprinc -pw user4812 user at KRBTEST.COM
WARNING: no policy specified for user at KRBTEST.COM; defaulting to no policy
Authenticating as principal tfheen/admin at KRBTEST.COM with password.
Principal "user at KRBTEST.COM" created.
*** [2] Completed with return code 0
*** [3] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/cli/kadmin.local -q addprinc -pw admin4812 user/admin at KRBTEST.COM
WARNING: no policy specified for user/admin at KRBTEST.COM; defaulting to no policy
Authenticating as principal tfheen/admin at KRBTEST.COM with password.
Principal "user/admin at KRBTEST.COM" created.
*** [3] Completed with return code 0
*** [4] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/cli/kadmin.local -q addprinc -randkey host/xoog.err.no at KRBTEST.COM
WARNING: no policy specified for host/xoog.err.no at KRBTEST.COM; defaulting to no policy
Authenticating as principal tfheen/admin at KRBTEST.COM with password.
Principal "host/xoog.err.no at KRBTEST.COM" created.
*** [4] Completed with return code 0
*** [5] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/cli/kadmin.local -q ktadd -k /tmp/krb5-1.12.1+dfsg/build/tests/testdir/keytab -norandkey host/xoog.err.no at KRBTEST.COM
Authenticating as principal tfheen/admin at KRBTEST.COM with password.
Entry for principal host/xoog.err.no at KRBTEST.COM with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/krb5-1.12.1+dfsg/build/tests/testdir/keytab.
Entry for principal host/xoog.err.no at KRBTEST.COM with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/krb5-1.12.1+dfsg/build/tests/testdir/keytab.
Entry for principal host/xoog.err.no at KRBTEST.COM with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/krb5-1.12.1+dfsg/build/tests/testdir/keytab.
Entry for principal host/xoog.err.no at KRBTEST.COM with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:/tmp/krb5-1.12.1+dfsg/build/tests/testdir/keytab.
*** [5] Completed with return code 0
*** [6] Starting: /tmp/krb5-1.12.1+dfsg/build/kdc/krb5kdc -n
krb5kdc: starting...
*** [6] Started with pid 4818
*** [7] Executing: /tmp/krb5-1.12.1+dfsg/build/clients/kinit/kinit user at KRBTEST.COM
Password for user at KRBTEST.COM: 
*** [7] Completed with return code 0
*** [8] Executing: /tmp/krb5-1.12.1+dfsg/build/clients/klist/klist /tmp/krb5-1.12.1+dfsg/build/tests/testdir/ccache
Ticket cache: FILE:/tmp/krb5-1.12.1+dfsg/build/tests/testdir/ccache
Default principal: user at KRBTEST.COM

Valid starting     Expires            Service principal
12/22/14 11:45:10  12/23/14 11:45:10  krbtgt/KRBTEST.COM at KRBTEST.COM
*** [8] Completed with return code 0
*** [9] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/cli/kadmin.local -q modprinc +requires_preauth user at KRBTEST.COM
Authenticating as principal user/admin at KRBTEST.COM with password.
Principal "user at KRBTEST.COM" modified.
*** [9] Completed with return code 0
*** [10] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/cli/kadmin.local -q setstr user at KRBTEST.COM otp "[{""type"": ""udp"", ""username"": ""custom""}]"
Authenticating as principal user/admin at KRBTEST.COM with password.
Attribute set for principal "user at KRBTEST.COM".
*** [10] Completed with return code 0
*** [11] Executing: /tmp/krb5-1.12.1+dfsg/build/clients/kinit/kinit -T /tmp/krb5-1.12.1+dfsg/build/tests/testdir/ccache user at KRBTEST.COM
Enter OTP Token Value: 
kinit: Preauthentication failed while getting initial credentials
*** [11] Completed with return code 1
*** [12] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/cli/kadmin.local -q setstr user at KRBTEST.COM otp "[{""type"": ""udp""}]"
Authenticating as principal user/admin at KRBTEST.COM with password.
Attribute set for principal "user at KRBTEST.COM".
*** [12] Completed with return code 0
*** [13] Executing: /tmp/krb5-1.12.1+dfsg/build/clients/kinit/kinit -T /tmp/krb5-1.12.1+dfsg/build/tests/testdir/ccache user at KRBTEST.COM
Enter OTP Token Value: 
kinit: Preauthentication failed while getting initial credentials
*** [13] Completed with return code 1
*** Failure: /tmp/krb5-1.12.1+dfsg/build/clients/kinit/kinit failed with code 1.

Use --debug=NUM to run a command under a debugger.  Use
--stop-after=NUM to stop after a daemon is started in order to
attach to it with a debugger.  Use --help to see other options.

: tfheen at xoog ..5-1.12.1+dfsg/build/tests > cat testdir/kdc.log 
otp: Loaded
Dec 22 11:45:10 xoog krb5kdc[4818](info): setting up network...
Dec 22 11:45:10 xoog krb5kdc[4818](info): listening on fd 12: udp 0.0.0.0.61000 (pktinfo)
krb5kdc: setsockopt(13,IPV6_V6ONLY,1) worked
krb5kdc: Invalid argument - Cannot request packet info for udp socket address :: port 61000
Dec 22 11:45:10 xoog krb5kdc[4818](info): skipping unrecognized local address family 17
Dec 22 11:45:10 xoog krb5kdc[4818](info): skipping unrecognized local address family 17
krb5kdc: setsockopt(13,IPV6_V6ONLY,1) worked
Dec 22 11:45:10 xoog krb5kdc[4818](info): listening on fd 13: udp 2001:840:4007:8:76d0:2bff:fe95:471b.61000
krb5kdc: setsockopt(14,IPV6_V6ONLY,1) worked
Dec 22 11:45:10 xoog krb5kdc[4818](info): listening on fd 14: udp 2001:840:4007:8::123.61000
krb5kdc: setsockopt(15,IPV6_V6ONLY,1) worked
Dec 22 11:45:10 xoog krb5kdc[4818](info): listening on fd 15: udp fe80::76d0:2bff:fe95:471b%eth0.61000
krb5kdc: setsockopt(16,IPV6_V6ONLY,1) worked
Dec 22 11:45:10 xoog krb5kdc[4818](info): listening on fd 17: tcp 0.0.0.0.61000
Dec 22 11:45:10 xoog krb5kdc[4818](info): listening on fd 16: tcp ::.61000
Dec 22 11:45:10 xoog krb5kdc[4818](info): set up 6 sockets
Dec 22 11:45:10 xoog krb5kdc[4818](info): commencing operation
Dec 22 11:45:10 xoog krb5kdc[4818](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 127.0.0.1: ISSUE: authtime 1419245110, etypes {rep=18 tkt=18 ses=18}, user at KRBTEST.COM for krbtgt/KRBTEST.COM at KRBTEST.COM
Dec 22 11:45:10 xoog krb5kdc[4818](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 127.0.0.1: NEEDED_PREAUTH: user at KRBTEST.COM for krbtgt/KRBTEST.COM at KRBTEST.COM, Additional pre-authentication required
Dec 22 11:45:11 xoog krb5kdc[4818](info): DISPATCH: repeated (retransmitted?) request from 127.0.0.1, resending previous response
Dec 22 11:45:11 xoog krb5kdc[4818](info): closing down fd 19
Dec 22 11:45:14 xoog krb5kdc[4818](info): preauth (otp) verify failure: Connection timed out
Dec 22 11:45:14 xoog krb5kdc[4818](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 127.0.0.1: PREAUTH_FAILED: user at KRBTEST.COM for krbtgt/KRBTEST.COM at KRBTEST.COM, Preauthentication failed
Dec 22 11:45:14 xoog krb5kdc[4818](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 127.0.0.1: NEEDED_PREAUTH: user at KRBTEST.COM for krbtgt/KRBTEST.COM at KRBTEST.COM, Additional pre-authentication required
Dec 22 11:45:15 xoog krb5kdc[4818](info): DISPATCH: repeated (retransmitted?) request from 127.0.0.1, resending previous response
Dec 22 11:45:15 xoog krb5kdc[4818](info): closing down fd 19
Dec 22 11:45:18 xoog krb5kdc[4818](info): preauth (otp) verify failure: Connection timed out
Dec 22 11:45:18 xoog krb5kdc[4818](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 127.0.0.1: PREAUTH_FAILED: user at KRBTEST.COM for krbtgt/KRBTEST.COM at KRBTEST.COM, Preauthentication failed
Dec 22 11:45:18 xoog krb5kdc[4818](debug): Got signal to request exit
Dec 22 11:45:18 xoog krb5kdc[4818](info): closing down fd 16
Dec 22 11:45:18 xoog krb5kdc[4818](info): closing down fd 17
Dec 22 11:45:18 xoog krb5kdc[4818](info): closing down fd 15
Dec 22 11:45:18 xoog krb5kdc[4818](info): closing down fd 14
Dec 22 11:45:18 xoog krb5kdc[4818](info): closing down fd 13
Dec 22 11:45:18 xoog krb5kdc[4818](info): closing down fd 12
Dec 22 11:45:18 xoog krb5kdc[4818](info): shutting down

Ideas?

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are