OTP/FAST: MIT KDC <--> heimdal client integration
hedrick at rutgers.edu
Fri Nov 3 10:17:41 EDT 2017
It’s sort of implemented. On my Mac, if I use --fast-armor-cache=FILE:/tmp/krb5cc_1003 it sends udp packets to the server. The server doesn’t return anything and makes no entry in krb5kdc.log. So the client waits and eventually times out.
If I force tcp by using tcp/hostname in krb5.conf, a non-OTP kinit works, but a fast kinit immediately returns unable to reach any KDC.
A compatibility issue between Heimdal and MIT KDCs?
> On Nov 2, 2017, at 10:50 AM, Greg Hudson <ghudson at mit.edu> wrote:
> On 11/02/2017 05:06 AM, Oleksandr Yermolenko wrote:
>> I have a strange (for me?) situation using MIT KDC together with
>> Heimdal client. PKINIT/FAST scenario.
> I don't believe Heimdal implements FAST OTP.
>> kinit --cache=FILE:/tmp/krb5cc_1000 aae at IDM.CRP
>> aae at IDM.CRP's Password: passwordOTP
>> kinit: Password incorrect
>> KDC log:
>> Nov 02 09:45:56 ipa31.idm.crp krb5kdc(info): preauth
>> (encrypted_timestamp) verify failure: Preauthentication failed Nov 02
>> 09:45:56 ipa31.idm.crp krb5kdc(info): preauth
> It looks like the Heimdal client is trying to do encrypted timestamp
> (not encrypted challenge, so I'm not sure the client is even using FAST
> with these options) against whatever long-term keys you have on the
> client principal entry. You might want to remove those (with kadmin
> purgekeys -all) so that the KDC doesn't offer encrypted
> timestamp/encrypted challenge.
> Kerberos mailing list Kerberos at mit.edu
More information about the Kerberos