Information request Duo Integration for kinit

Greg Hudson ghudson at
Fri Oct 16 17:49:03 EDT 2015

On 10/16/2015 12:23 PM, Booker Bense wrote:
> In poking around on the web, I've found that MIT has some duo integration
> for
> the kinit program.
> Is there any docmentation available on how this was implemented?

It's a custom kdcpreauth module using the SAM-2 mechanism, with repeated
KDC_ERR_PREAUTH_REQUIRED responses and KDC state.  We are hoping to make
it open source at some point, but need to do some cleanup first.

The security properties of SAM-2 aren't great, and it isn't implemented
in any krb5 implementation other than MIT's.  We are also working on a
SPAKE2-based preauth mechanism which should eventually enable a much
better integration of second factors, including Duo.

(CC'd Richard Basch as he asked the same question a couple of weeks ago.)

More information about the Kerberos mailing list