Kerberos n00b question.

Robbie Harwood rharwood at redhat.com
Thu Jan 10 14:23:32 EST 2019


Grant Taylor <gtaylor at tnetconsulting.net> writes:

> On 1/8/19 6:02 PM, Robbie Harwood wrote:
>
>> Also!  2FA will mitigate this concern somewhat as well.
>
> I was wondering about 2nd factor authentication.  I have a YubiKey 
> that's waiting for my attention.
>
> Would I be correct in assuming that (from a Kerberos point of view)
> the 1st and 2nd factors are used during the kinit process?  Meaning
> that all of the SSO functions still work unimpeded?

Correct.

As an additional note, second factors (and PKINIT etc.) can set what we
call auth indicators:
http://web.mit.edu/kerberos/krb5-latest/doc/admin/auth_indicator.html

Applications can use these to mandate certain authentication properties
(e.g., used 2fa) on requests.

Thanks,
--Robbie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20190110/d1a9c239/attachment-0001.bin


More information about the Kerberos mailing list