OTP, RADIUS, timeouts
Tollef Fog Heen
tfheen at err.no
Tue Dec 23 03:48:01 EST 2014
]] Greg Hudson
> On 12/22/2014 05:49 AM, Tollef Fog Heen wrote:
> > I'm trying to set up the MIT KDC with support for OTP tokens (yubikeys
> > in my case, as a single factor, at least initially). I have the entire
> > bit from the RADIUS server and backwards working correctly, but I can't
> > get the KDC to see replies from the RADIUS server, it complains about
> > «connection timed out». Platform in Debian jessie with the packaged
> > 1.12.1, but I see the same problem with a 1.13 tar.gz build.
> I'm not sure why you're getting this. A local firewall could perhaps
> cause this problem, but I don't have high confidence in that hypothesis.
> You may need to instrument or debug the OTP verification code
> (otp_verify in src/plugins/preauth/otp/main.c) and the RADIUS server, or
> look at a packet trace with tcpdump or wireshark.
The problem goes away if I use the bundled libverto, so I suspect this
is either a bug in Debian's libverto (version 0.2.4) or the krad ↔
libverto interaction. I've done a quick check with t_otp.py and the
0.2.6 upstream version of libverto and it seems to work better.
After a bit more digging, it turns out that the fix is:
Author: Nathaniel McCallum <npmccallum at redhat.com>
Date: Fri Feb 10 01:13:30 2012 -0500
fix libev's set_flags() implementation
diff --git a/src/verto-libev.c b/src/verto-libev.c
index 2eb08fc..9c7c324 100644
@@ -106,7 +106,9 @@ libev_ctx_set_flags(verto_mod_ctx *ctx, const verto_ev *ev,
if (verto_get_flags(ev) & VERTO_EV_FLAG_IO_WRITE)
events |= EV_WRITE;
+ ev_io_stop(ctx, (ev_io*) evpriv);
ev_io_set(((ev_io*) evpriv), verto_get_fd(ev), events);
+ ev_io_start(ctx, (ev_io*) evpriv);
After applying this to Debian's 0.2.4 libverto, I can now get a ticket
using just a Yubikey, so that's pretty cool.
I'll file a bug in Debian, hopefully Sam can get this snuck in even
though we're in a freeze.
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
More information about the Kerberos