[EXTERNAL] Re: FAST OTP
Machin, Glenn D
GMachin at sandia.gov
Mon Aug 29 08:10:08 EDT 2016
Thanks I will look into using sssd.
> RHEL 7 also has IdM (open source project is FreeIPA
> http://www.freeipa.org/page/Main_Page) that includes MIT Kerberos server
> as part of its domain controller offering which is free.
Dmitri – thanks, however we already have an IDM with Kerberos, LDAP, DNS management and keytab generation and management services. If I was starting from scratch using FreeIPA would be a no brainer.
Appreciate the help.
Glenn
On 8/28/16, 3:57 PM, "kerberos-bounces at mit.edu on behalf of Dmitri Pal" <kerberos-bounces at mit.edu on behalf of dpal at redhat.com> wrote:
On 08/27/2016 09:10 PM, Machin, Glenn D wrote:
> Thanks to Dio I was able to get the Pkinit Anonymous working to enable the armor key. I noticed that RedHat 7 supports OTP in Kerberos and the kinit works fine. You do need to force TCP for Kerberos, since the radius transaction can take longer than a second to complete at times. Using UDP I was getting a failure on the RH7 system (a VM on my laptop) because the initial AS_REQ did not complete until after a second AS_REQ was sent, which failed, while the first came back successful.
>
> Next step was to be able to use it for login/sudo. I modified the pam_krb5 step to below in system-auth. What I see on the KDC are only encrypted timestamp preauth.
>
> Can RHEL7 pam_krb5 do OTP?
>
> auth [success=done authinfo_unavail=ignore new_authtok_reqd=ok ignore=ignore default=die] pam_krb5.so no_initial_prompt no_subsequent_prompt armor=true armor_strategy=pkinit
SSSD rather than pam_krb5.
https://fedorahosted.org/sssd/
You an fact need to use TCP for the reasons you described and SSSD does
it for you.
RHEL 7 also has IdM (open source project is FreeIPA
http://www.freeipa.org/page/Main_Page) that includes MIT Kerberos server
as part of its domain controller offering which is free.
All the manual things you are exploring now are taken care for you in
RHEL 7, Fedora and CentOS using IdM/FreeIPA and its client that
configures SSSD, Kerberos client, DNS and other parts of the system.
Thanks
Dmitri
>
> Any help would be appreciated.
>
>
> Glenn
>
>
>
>
> On 8/26/16, 4:09 PM, "kerberos-bounces at mit.edu on behalf of Dmitri Pal" <kerberos-bounces at mit.edu on behalf of dpal at redhat.com> wrote:
>
> On 08/26/2016 04:38 PM, Diogenes Jesus wrote:
> >
> >> I was able to configure a krb5-1.14.2 KDC to use FAST OTP with an RSA Authentication Manager Radius server.
> >>
> >> I have a couple of questions:
> >>
> >>
> >> · FAST requires an existing ticket cache. If you need a TGT to get a FAST OTP TGT how do you do that?
> > One way is to enable Anonymous support (http://k5wiki.kerberos.org/wiki/Anonymous_kerberos) - DONT forget to restrict anonymous to tgt only on your kdcs!
> >
> > Dio
> >
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
> OK you can use host key to armor the FAST tunnel for a client system if
> your host is also a part of the Kerberos realm.
> You can check FreeIPA project, there all these pieces are integrated and
> automated.
>
> --
> Thank you,
> Dmitri Pal
>
> Engineering Director, Identity Management and Platform Security
> Red Hat, Inc.
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Thank you,
Dmitri Pal
Engineering Director, Identity Management and Platform Security
Red Hat, Inc.
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list