Kerberos OTP with FreeRadius

Felix Weissbeck contact-kerberos at
Fri Jul 7 05:04:47 EDT 2017


Am Freitag, 7. Juli 2017, 07:54:19 CEST schrieb Brennecke, Simon:
> Here is were I am a bit unsure now. I kinda expect "kinit -p simon" now to
> either ask me for my password AND my OTP token, or at least fail with some
> error message. But instead it succeeds if I just enter my password.

As far as i understand the pre-auth, it succeeds if you enter a correct 
password OR if the radius-authentication is successful.

One solution is to remove the password from the kerberos database, so it only 
works if the radius auth is successful.
  kadmin -q 'purgekeys -all YOUR_PRINCNAME'

The  "problem" hereby is, that you can now obtain a kerberos ticket with your 
second factor alone; so you could configure PAM to successfully authenticate 
with password+token. 

I have a setup that asks for a password plus (yubikey or google-auth). 
The  PAM-configuration looks like this:

auth    [success=2 default=ignore] 
try_first_pass forward_pass
auth    [success=1 default=ignore] id=2 authfile=/etc/
yubikeyid url= try_first_pass
auth    requisite             
auth    [success=1 default=ignore] use_first_pass
auth    requisite             
auth    required              

> Also can sombody explain how this integrates with PAM-kerberos on a client
> machine? Will PAM then prompt the user for the OTP token and password?

The authentication works with passwordotp suplied as one string. 

Hope this helps. If anyone has a better approach please let me know.

Best regards

More information about the Kerberos mailing list