Kerberos OTP with FreeRadius

Benjamin Kaduk kaduk at
Fri Jul 7 08:07:34 EDT 2017

On Fri, Jul 07, 2017 at 11:04:47AM +0200, Felix Weissbeck wrote:
> The  "problem" hereby is, that you can now obtain a kerberos ticket with your 
> second factor alone; so you could configure PAM to successfully authenticate 
> with password+token. 

Yes, the FAST/OTP preauthentication mechanism from RFC 6560 uses only
the OTP factor, which makes it a great solution if you already have
deployed OTP infrastructure and need to add a kerberos solution for
your site.  For using OTP as a second factor, it's not really an option.

The current thinking in this space is that the SPAKE preauth scheme
will fill this void, allowing a second factor to be mixed in with a
PAKE password-based preauth, that does not expose anything encrypted
in password-based keys directly on the wire (so as to stymie brute-force


More information about the Kerberos mailing list