MIT Kerberos OTP with Windows

Charles Hedrick hedrick at rutgers.edu
Wed Nov 1 14:06:23 EDT 2017


You could issue a machine-specific key table, and then use a script that does kinit from the key table, then kinit -T pointing to the resulting credentials cache. I have verified the KfW kinit -T works.

We use OTP on Linux. I can’t get FAST/PKINIT to work there either. I have a kerberized service (using the machine’s key table) that will generate a credentials cache on a server and return it. That’s used to bootstrap kinit -T.

Surely there was a better approach than getting X509 involved in kerberos. I look forward to any alternatives.

My problem with KfW is more serious: I can’t get putty to see the tickets. That makes it of no real use to me. I’m going to try installing Ubuntu on Windows.

> On Oct 30, 2017, at 5:25 AM, Oleksandr Yermolenko <aae at sumix.com> wrote:
> 
> Hi all,
> 
> I'm trying to configure a Windows 7 workstation to do OTP preauth.
> 
> I've installed MIT Kerberos for Windows 4.1, put krb5.ini as for linux
> and ... of course obtain the error "Generic preauthentication
> failure". FAST/PKINIT anonymous unsupported ...
> 
> any ideas how to implement OTP for Windows with MIT kerberos client?
> possible?
> 
> thanks a lot for your help
> 
> Oleksandr Yermolenko
> 
> I can use without any problem on the systems Debian/CentOS based
> according to [1] and [2]
> 
> [1] https://na01.safelinks.protection.outlook.com/?url=https:%2F%2Fwww.eyrie.org%2F~eagle%2Fsoftware%2Fpam-krb5%2Fpam-krb5.html&data=02%7C01%7Chedrick%40rutgers.edu%7C9d7e7243d2584751e24f08d51f789b14%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636449525221981239&sdata=YBF9PR3Pb9Hp7E2JewIVBH7%2B2OKCVWmrUpShS5jVgrI%3D&reserved=0
> [2] https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmailman.mit.edu%2Fpipermail%2Fkerberos%2F2017-July%2F021747.html&data=02%7C01%7Chedrick%40rutgers.edu%7C9d7e7243d2584751e24f08d51f789b14%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636449525221981239&sdata=%2BW5z617hkF39IGa29zFBAJj7JJWKGFnBQG891F7ZNb0%3D&reserved=0
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.mit.edu%2Fmailman%2Flistinfo%2Fkerberos&data=02%7C01%7Chedrick%40rutgers.edu%7C9d7e7243d2584751e24f08d51f789b14%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636449525221981239&sdata=U%2BlGLzBr0hX5ZZisc%2Frb2CK%2FRxs34kj%2BBdo0gbJZxUk%3D&reserved=0




More information about the Kerberos mailing list