OTP and kadmin
Felix Weissbeck
contact-kerberos at w7k.de
Sun Jan 8 11:02:59 EST 2017
Hello,
i have recently reconfigured my MIT-Kerberos setup to use PKINIT / OTP and
RADIUS for my admins. In my setup administrators have two accounts: one
"username at REALM" for regular user-stuff like mail... and "username/
admin at REALM" for root-logins with ssh and other administrative purposes.
This all works just nicely and i am a huge fan.
Users can get their tickets with a password & yubikey and then log onto the
servers as root.
But since i had to ''kadmin: purgekeys -all user/admin" in order to force
them to 2FA i can no longer use "kadmin -p user/admin" from a remote host.
root at ldap:~# kadmin -p fe/admin
Authenticating as principal fe/admin with password.
kadmin: Invalid argument while initializing kadmin interface
while my logfiles show:
Jan 8 15:38:13 kerberos2 krb5kdc[28363]: AS_REQ xxxxxxxxx: NEEDED_PREAUTH:
fe/admin at W7K.DE for kadmin/admin at W7K.DE, Additional pre-authentication
required
I have not changed the kadm5.acl on the kdc/kadmin so they should still be
allowed to do this (*/admin * )
I guess the problem is, that the kadmin-tool does not understand how to
provide the preauth (just like kinit would without the otp module).
So my question is: Did i miss anything? Is there any possibility to use kadmin
remotely with otp/2FA? Or is this not possible at the moment and users have to
use kadmin.local?
Best Regards
Felix Weissbeck
More information about the Kerberos
mailing list