[EXTERNAL] Re: FAST OTP
Felix Weissbeck
contact-kerberos at w7k.de
Sun Aug 28 11:52:41 EDT 2016
Hello Glenn
On Sonntag, 28. August 2016 01:10:12 CEST Machin, Glenn D wrote:
>
> Next step was to be able to use it for login/sudo. I modified the
> pam_krb5 step to below in system-auth. What I see on the KDC are only
> encrypted timestamp preauth.
Even if you have configured OTP, auth via encrypted timestamp should still
work. I don't know if you can configure pam_krb5 not to try timestamp, but you
could try purging the password from the krb-storage with
kadmin.local: purgekeys -all myprinc at REALM
and see if the module falls back to otp.
> Next step was to be able to use it for login/sudo.
you might also want to take a look at the Secure Services Storage Daemon
(sssd). It supports preauth with pkinit and it should support otp w. anonymous
tickets.
I'm using it for sudo with sudoers coming from my ldap directory, but you
could also authenticate sudo against the sssd-pam-module.
> Any help would be appreciated.
> Glenn
Best regards
Felix
More information about the Kerberos
mailing list