[EXTERNAL] Re: FAST OTP

Felix Weissbeck contact-kerberos at w7k.de
Sun Aug 28 11:52:41 EDT 2016


Hello Glenn

On Sonntag, 28. August 2016 01:10:12 CEST Machin, Glenn D wrote:
> 
> Next step was to be able to use it for login/sudo.    I modified the
> pam_krb5 step to below in system-auth.   What I see on the KDC are only
> encrypted timestamp preauth.

Even if you have configured OTP,  auth via encrypted timestamp should still 
work. I don't know if you can configure pam_krb5 not to try timestamp, but you 
could try purging the password from the krb-storage with 
   kadmin.local:  purgekeys -all  myprinc at REALM
and see if the module falls back to otp.

> Next step was to be able to use it for login/sudo. 

you might also want to take a look at the Secure Services Storage Daemon 
(sssd). It supports preauth with pkinit and it should support otp w. anonymous 
tickets.
I'm using it for sudo with sudoers coming from my ldap directory, but you 
could also authenticate sudo against the sssd-pam-module.
 
> Any help would be appreciated.
> Glenn

Best regards
  Felix 


More information about the Kerberos mailing list