OTP and kadmin
Benjamin Kaduk
kaduk at mit.edu
Sun Jan 8 13:33:26 EST 2017
On Sun, Jan 08, 2017 at 05:02:59PM +0100, Felix Weissbeck wrote:
> Hello,
>
> i have recently reconfigured my MIT-Kerberos setup to use PKINIT / OTP and
> RADIUS for my admins. In my setup administrators have two accounts: one
> "username at REALM" for regular user-stuff like mail... and "username/
> admin at REALM" for root-logins with ssh and other administrative purposes.
> This all works just nicely and i am a huge fan.
> Users can get their tickets with a password & yubikey and then log onto the
> servers as root.
>
> But since i had to ''kadmin: purgekeys -all user/admin" in order to force
> them to 2FA i can no longer use "kadmin -p user/admin" from a remote host.
>
> root at ldap:~# kadmin -p fe/admin
> Authenticating as principal fe/admin with password.
> kadmin: Invalid argument while initializing kadmin interface
>
> while my logfiles show:
> Jan 8 15:38:13 kerberos2 krb5kdc[28363]: AS_REQ xxxxxxxxx: NEEDED_PREAUTH:
> fe/admin at W7K.DE for kadmin/admin at W7K.DE, Additional pre-authentication
> required
>
> I have not changed the kadm5.acl on the kdc/kadmin so they should still be
> allowed to do this (*/admin * )
>
> I guess the problem is, that the kadmin-tool does not understand how to
> provide the preauth (just like kinit would without the otp module).
>
> So my question is: Did i miss anything? Is there any possibility to use kadmin
> remotely with otp/2FA? Or is this not possible at the moment and users have to
> use kadmin.local?
One thing to try would be separating getting tickets and authenticating
to kadmin, aka
kinit -c FILE:/tmp/krb5cc_admin -S kadmin/admin -r5m -l5m user/admin
kadmin -c FILE:/tmp/krb5cc_admin -p user/admin
That would make it more clear if it is just a failure in the kadmin client logic.
-Ben
More information about the Kerberos
mailing list