Information request Duo Integration for kinit
Greg Hudson
ghudson at mit.edu
Fri Oct 16 17:49:03 EDT 2015
On 10/16/2015 12:23 PM, Booker Bense wrote:
> In poking around on the web, I've found that MIT has some duo integration
> for
> the kinit program.
>
> Is there any docmentation available on how this was implemented?
It's a custom kdcpreauth module using the SAM-2 mechanism, with repeated
KDC_ERR_PREAUTH_REQUIRED responses and KDC state. We are hoping to make
it open source at some point, but need to do some cleanup first.
The security properties of SAM-2 aren't great, and it isn't implemented
in any krb5 implementation other than MIT's. We are also working on a
SPAKE2-based preauth mechanism which should eventually enable a much
better integration of second factors, including Duo.
(CC'd Richard Basch as he asked the same question a couple of weeks ago.)
More information about the Kerberos
mailing list