OTP/FAST: MIT KDC <--> heimdal client integration

Charles Hedrick hedrick at rutgers.edu
Fri Nov 3 10:17:41 EDT 2017

It’s sort of implemented. On my Mac, if I use --fast-armor-cache=FILE:/tmp/krb5cc_1003 it sends udp packets to the server. The server doesn’t return anything and makes no entry in krb5kdc.log. So the client waits and eventually times out. 

If I force tcp by using tcp/hostname in krb5.conf, a non-OTP kinit works, but a fast kinit immediately returns unable to reach any KDC.

A compatibility issue between Heimdal and MIT KDCs?

> On Nov 2, 2017, at 10:50 AM, Greg Hudson <ghudson at mit.edu> wrote:
> On 11/02/2017 05:06 AM, Oleksandr Yermolenko wrote:
>> I have a strange (for me?) situation using MIT KDC together with
>> Heimdal client. PKINIT/FAST scenario.
> I don't believe Heimdal implements FAST OTP.
>> kinit --cache=FILE:/tmp/krb5cc_1000 aae at IDM.CRP
>> aae at IDM.CRP's Password: passwordOTP
>> kinit: Password incorrect
>> KDC log:
>> Nov 02 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth
>> (encrypted_timestamp) verify failure: Preauthentication failed Nov 02
>> 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth
> It looks like the Heimdal client is trying to do encrypted timestamp
> (not encrypted challenge, so I'm not sure the client is even using FAST
> with these options) against whatever long-term keys you have on the
> client principal entry.  You might want to remove those (with kadmin
> purgekeys -all) so that the KDC doesn't offer encrypted
> timestamp/encrypted challenge.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.mit.edu%2Fmailman%2Flistinfo%2Fkerberos&data=02%7C01%7Chedrick%40rutgers.edu%7C24004d8fd5184a7aa23608d5220166ad%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636452311769952170&sdata=38MDQ9a3OF8oRhhQa9GI72%2Bshom2Zxr5MGOpJelRsl0%3D&reserved=0

More information about the Kerberos mailing list