Kerberos and OTP

Diogenes Jesus splash at gmail.com
Thu Jun 30 04:01:29 EDT 2016


Hi Laurent. 

Alternatively you can enable anonymous authentication (don't forget to restrict anonymous to only TGT in kdc.conf).

That way it's not required to kinit with host first (you just kinit -n).

Dio

> On 29 Jun 2016, at 16:06, <Laurent.Bastet at i-carre.net> <Laurent.Bastet at i-carre.net> wrote:
> 
> Hello Dmitri,
> 
> Thanks for your reply, it's working fine now.
> 
> Regards
> 
> Laurent BASTET
> 
> Le 16/06/2016 17:22, �s-bounces at mit.edu)" a écrit :
>> On 06/16/2016 10:08 AM, Laurent.Bastet at i-carre.net wrote:
>>> Hello all,
>>> 
>>> Can you tell me if it is possible to get a TGT not entering a password,
>>> but only using an OTP token ?
>>> I found some tutorials on the internet (ie
>>> http://web.mit.edu/Kerberos/krb5-1.13/doc/admin/otp.html), but none
>>> works, the token is never asked : when I do kinit, only the password is
>>> requested, and then I have to make a "kinit -T armor_ccache" for a token
>>> been requested.
>>> 
>>> And even if I don't do the command "kinit -T" I can access to machines...
>>> 
>>> Regards,
>>> 
>>> Laurent.
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>> OTP feature requires a FAST tunnel that is accomplished by having
>> another key and identity on the client for the host.
>> Then you first kinit with host and then use it with -T for user
>> authentication.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list