Kerberos OTP with FreeRadius
Felix Weissbeck
contact-kerberos at w7k.de
Fri Jul 7 05:04:47 EDT 2017
Hi,
Am Freitag, 7. Juli 2017, 07:54:19 CEST schrieb Brennecke, Simon:
> Here is were I am a bit unsure now. I kinda expect "kinit -p simon" now to
> either ask me for my password AND my OTP token, or at least fail with some
> error message. But instead it succeeds if I just enter my password.
As far as i understand the pre-auth, it succeeds if you enter a correct
password OR if the radius-authentication is successful.
One solution is to remove the password from the kerberos database, so it only
works if the radius auth is successful.
kadmin -q 'purgekeys -all YOUR_PRINCNAME'
(see: https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html)
The "problem" hereby is, that you can now obtain a kerberos ticket with your
second factor alone; so you could configure PAM to successfully authenticate
with password+token.
I have a setup that asks for a password plus (yubikey or google-auth).
The PAM-configuration looks like this:
auth [success=2 default=ignore] pam_google_authenticator.so
try_first_pass forward_pass
auth [success=1 default=ignore] pam_yubico.so id=2 authfile=/etc/
yubikeyid url=http://127.0.0.1/wsapi/2.0/verify?id=%d&otp=%s try_first_pass
auth requisite pam_deny.so
auth [success=1 default=ignore] pam_unix.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
> Also can sombody explain how this integrates with PAM-kerberos on a client
> machine? Will PAM then prompt the user for the OTP token and password?
The authentication works with passwordotp suplied as one string.
Hope this helps. If anyone has a better approach please let me know.
Best regards
Felix
More information about the Kerberos
mailing list