2FA with krb5

Ken Hornstein kenh at cmf.nrl.navy.mil
Wed Oct 6 21:27:04 EDT 2021 

>We'd like to be able to leverage 2fa for some services (admins) and some 
>services (ssh logins) but not have to pump a 2fa code into, say, our mail 
>applications.  Is there a way to make the acquisition of a TGT (for GSSAPI 
>authentication) vs Password Authentication require 2fa?

Yes (I'll explain more below).

>That's complication number one.
>
>Complication number 2 is something like "SecurID is *expensive* for a 
>fairly small (<10) admin team."

Yeah, tell me about it.

>Is there any reasonable support for off-the-shelf TOTP or HOTP 
>authenticators, i.e. google authenticator or whatnot?  If so, is there 
>support to have a user have *multiple* available authenticators, such that 
>one can be expired and others not?

There is not such a thing yet, AFAIK.  It's something on my list to
implement TOTP support (but, it's kinda far down).  It's complicated
(again, see below).

>Googling this all gets me a bunch of (some older, some newer articles 
>about the varying states of SPAKE and the like), and...a whole bunch of 
>ads now being shown for startups that want to do it differently but I'm 
>SURE no way to integrate with this.
>
>The final problem, of course, is that if I make all my KDC's 2fa-aware on 
>their own, there's no communication of double-use of a token, unless I 
>centralize things, which breaks the purpose of having geo-diverse KDC's. 
>I don't suppose the kerberos db replication mechanism has anything that 
>can also share this state?
>
>This is all pie-in-the-sky stuff, but practical answers "just an FAQ" are 
>hard to find.

So, I think I speak with some authority on this subject; I've been involved
with some kind of 2FA with Kerberos for a ... couple of decades?  Yikes,
I feel old.  Anyway, the super short summary is:

- You can do it, but depending on exactly WHAT you want to do may
  involve writing some code.  You've heard the expression, "With a big
  enough engine, you can make a barn door fly"?  That applies here.
- There are some architectural issues that makes this all complicated
  to deploy.  I'll try to touch on those.

The first question you need to answer is: what are your clients?  This
is important because which specific 2FA protocol you use depends on
what clients you have.  The 3 main protocols I am aware of are

- SAM2 - this is the old protocol that we originally used waay back
  when we started (and we still use today for some factors).  You can
  pretty much use any factor with it; we used SecurID, CryptoCARD,
  and today use YubiKey.  The major disadvantage is it is only supported
  by MIT-based Kerberos clients.  I did a small amount of the protocol
  work on SAM2 but for various complicated reasons it never resulted
  in a published RFC.

- FAST.  This is a newer protocol that provides a generic encrypted
  tunnel to send preauthentication messages over (these are called "FAST
  factors").  It's a more complicated protocol, but superior to SAM2;
  if it was around when we started we would have used it.  It is supported
  by MIT and Heimdal; it may be supported by Windows, I am not sure.
  There is already a FAST factor defined for One-Time Passwords, called
  "OTP".  I am not sure of the client coverage of the OTP FAST
  factor, though.  I will admit that I do not know as much about FAST as
  the other mechanisms, so if people chime in and correct me you should
  believe them over me.

- PKINIT.  This uses an existing PKI to completely replace a password.  I
  mention this as 2FA since in our deployment we use client certificates
  on smartcards which require PINs to unlock, hence the two factors.
  This is supported by all 3 major Kerberos implementations (well, maybe
  not the smartcard piece, but MIT Kerberos does, except on Windows).
  If you can leverage an existing PKI then it's not a bad choice, but
  it is a complicated mess to get going; there are SO MANY ways for
  it to go wrong.

So, which protocol should you use?  Well, even though I hold a soft spot
for SAM2, I can't really recommend using it for new implementations;
ours is really just due to legacy code.  So that's either FAST OTP or
PKINIT.  However ... FAST does require a special "FAST armour key"
(which is typically a host key) or support for anonymous PKINIT.
Either of those requires a bit of magic at kinit time, which I haven't
completely sussed out all yet.  I'm not actually sure if FAST OTP has
been deployed anywhere; it may be!  If so, no one talks about it.
One advantage of SAM2 is that it "just works" when you enable it
(assuming everything else is set up correctly).

There is an existing FAST OTP implementation for MIT Kerberos; the
documentation is here:

	https://web.mit.edu/kerberos/www/krb5-latest/doc/admin/otp.html

The implementation requires you to verify the token using a RADIUS
server.  If you do not like that, you'd have to write your own
implementation (and, sadly, that requires Kerberos internals; sigh, I
wish that interface was better defined).

In terms of using it for access to certain hosts, you have a couple
of options.  The preauth mechanism can set what are known as "authentication
indicators" in the ticket; you can either configure a host principal
to only allow the acquisition of a service ticket if it has a particular
indicator, or you can modify the server software so it checks for
a particular indicator.  We used a variation of the second approach;
there is a Kerberos ticket flag called HW_AUTH, and our application server
code checks for that on the subset of hosts that require it (this was
before authentication indicators were developed as a protocol extension).

Now, in terms of "challenges" ... here's my understanding of the
practical issues you will face:

- As you note, talking to an external server kills the KDC redundancy.
  And a lot of OTP mechanisms require this.  In the larger deployment
  I have worked on, we supported three OTP hardware tokens: SecurID,
  CRYPTOCard, and YubiKey.  With CRYPTOCard, I wrote that mechanism and
  put the "secret" directly in the KDC.  That worked, but it had an
  unfortunate wart that if you talked to a replica KDC there was no way
  of propagating the "used" token back to the primary (since 99% of the
  requests went to the primary KDC, it never ended up being a problem in
  practice, but I knew it was an issue and never figured out a reasonable
  solution).  With SecurID and YubiKey, the KDC ends up talking to external
  verification servers.  For various dumb reasons the SecurID server
  implementation never worked well, but the YubiKey one seems to work
  pretty well.  It does have the obvious problem that if the YubiKey
  server goes down then you can't kinit if you're using YubiKey (and
  that has happened to us).

- There's not a way to OPTIONALLY say, "I'd like to use OTP now".  You can
  set it on a per-user basis, but kinit (and the underlying API) doesn't
  have the ability to say, "Please let me use OTP for this request".
  We have some local hacks to enable this functionality.  In discussions
  on krbdev I believe MIT was open to this functionality, but the
  actual WORK hasn't been done.  I was the obvious one to do this work,
  but I just submitted a pullup request for a very simple change that I
  said I'd do back in May, so ... I'm behind.  Discussion on this is
  here:

	http://mailman.mit.edu/pipermail/krbdev/2021-April/013448.html

Now, strangely enough, even though PKINIT is a giant pain in the ass
it solves a lot of these issues (admittedly, by foisting them off onto
a PKI, but hey ...).  So if you want to use PKINIT, that might be a
way to go.  In terms of second factors, have you looked at the YubiKey
tokens?  The latest ones can act as a PIV token, and you should be able
to get PKINIT working with them (I will admit I've played around with
a YubiKey token and I see it shows up as a PIV token, but I didn't get
a chance to go farther).  In theory you could implement the YubiKey
verification directly in the KDC, but that has all of the issues with
the CRYPTOCard support I mentioned.

I hope it doesn't sound like I'm crapping on people here; a lot of
very smart people did a lot of very good work in terms of the protocol
and the code framework for implementing multi-factor authentication in
Kerberos.  It is not an easy problem!  But the documentation on it all
is a bit ... diffused.

Anyway, I hope that helps.

--Ken

More information about the Kerberos mailing list