OTP/FAST: MIT KDC <--> heimdal client integration

Greg Hudson ghudson at mit.edu
Thu Nov 2 10:50:45 EDT 2017

On 11/02/2017 05:06 AM, Oleksandr Yermolenko wrote:
> I have a strange (for me?) situation using MIT KDC together with
> Heimdal client. PKINIT/FAST scenario.

I don't believe Heimdal implements FAST OTP.

> kinit --cache=FILE:/tmp/krb5cc_1000 aae at IDM.CRP
> aae at IDM.CRP's Password: passwordOTP
> kinit: Password incorrect
> KDC log:
> Nov 02 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth
> (encrypted_timestamp) verify failure: Preauthentication failed Nov 02
> 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth

It looks like the Heimdal client is trying to do encrypted timestamp
(not encrypted challenge, so I'm not sure the client is even using FAST
with these options) against whatever long-term keys you have on the
client principal entry.  You might want to remove those (with kadmin
purgekeys -all) so that the KDC doesn't offer encrypted
timestamp/encrypted challenge.

More information about the Kerberos mailing list