Kerberos OTP with FreeRadius

Brennecke, Simon simon.brennecke at
Fri Jul 7 01:54:19 EDT 2017

Hi all,

I'm trying to configure a MIT Kerberos server (I belive version 1.15) to do OTP preauth against a FreeRadius server on a Debian 9 host.

What I did so far was:

1) installed and configured FreeRadius to only do OTP with google-authenticator via PAM => works

2) installed and configured MIT kerberos with a couple of principials => "kinit -p simon" works

3) I followed

4) I realized that I probably also need PKINIT for FAST to work, so I also followed, but only the server portion. I skipped the client part. I was using my own CA.

5) I did 'set_string simon otp "[]"' and "modprinc +need_pre_auth simon"

6) restarted KDC

Here is were I am a bit unsure now. I kinda expect "kinit -p simon" now to either ask me for my password AND my OTP token, or at least fail with some error message. But instead it succeeds if I just enter my password.

>From the logs I can see, that the OTP module gets loaded and when I do kinit that some sort of PREAUTH is required, but apparently it is handled successfully and completly without OTP token.

I then started to fiddle with the "authentication indicators", but I'm afraid I do not properly understand their part in all this.

Can somebody please advise me what is missing?

Also can sombody explain how this integrates with PAM-kerberos on a client machine? Will PAM then prompt the user for the OTP token and password?

Many thanks & Regards


More information about the Kerberos mailing list