windows kerberos update?

[Charles Hedrick]

Thanks. We’ll try to OTP. If there’s no PKINIT, I guess that means the armor will have to come from the machine credentials. That should be workable.

A couple of us do kinit from home on the Mac. I don’t have a long list of people asking for it for Windows, but if a couple of people do it for Mac probably a few would do it for Windows as well. I’m paranoid enough about the server to want use from outside the department to go through the proxy.

On Jan 16, 2019, at 12:01:19 PM, Greg Hudson <ghudson at mit.edu> wrote:

On 1/16/19 11:23 AM, Charles Hedrick wrote:
We’re starting to use Windows Kerberos, with a 3rd party login screen that calls Kerberos. Some of our staff use FreeOTP 2FA. As far as I can tell, the most recent KfW doesn’t support 2FA or the https: proxy.

KfW 4.1 is based on krb5 1.13, which includes the OTP client code, so I
think that's only half correct.

Are there plans for a new release that would do so?

I was planning to do a Windows release based on the 1.17 branch (for
SPAKE support, if nothing else), but I don't have a specific time-table.

HTTPS proxy support is not currently part of the Windows build, because
of the OpenSSL dependency.  I can make an attempt to bring that in when
I make time to do work on the Windows port.  (Bringing in an OpenSSL
dependency would also make it possible to enable PKINIT support, though
that might also require some work on the PKINIT code.)

It is now possible to build the Windows installer from source using the
community (no-cost) version of the MS compiler.  See src/windows/README
in the source tree for details.