Kerberos n00b question.
Robbie Harwood
rharwood at redhat.com
Thu Jan 10 14:23:32 EST 2019
Grant Taylor <gtaylor at tnetconsulting.net> writes:
> On 1/8/19 6:02 PM, Robbie Harwood wrote:
>
>> Also! 2FA will mitigate this concern somewhat as well.
>
> I was wondering about 2nd factor authentication. I have a YubiKey
> that's waiting for my attention.
>
> Would I be correct in assuming that (from a Kerberos point of view)
> the 1st and 2nd factors are used during the kinit process? Meaning
> that all of the SSO functions still work unimpeded?
Correct.
As an additional note, second factors (and PKINIT etc.) can set what we
call auth indicators:
http://web.mit.edu/kerberos/krb5-latest/doc/admin/auth_indicator.html
Applications can use these to mandate certain authentication properties
(e.g., used 2fa) on requests.
Thanks,
--Robbie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20190110/d1a9c239/attachment-0001.bin
More information about the Kerberos
mailing list