2FA with krb5

Russ Allbery eagle at eyrie.org
Thu Oct 7 14:50:37 EDT 2021


Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:

> I am not sure of the client coverage of the OTP FAST factor, though.

For what it's worth, although my pam-krb5 module implements FAST including
both keyed and anonymous FAST, it does not implement FAST OTP.  This is
because (a) I didn't find any documentation of what I was supposed to do
as a client (it's been years since I looked so this quite possibly has
changed), and (b) attempting to set up a reasonable test environment
looked painful.  In particular, there was (at the time, again haven't
checked recently) a lot of hand-waving about exactly to set up the RADIUS
part, since MIT Kerberos just treats it as an oracle.

I haven't checked if sssd supports FAST OTP.  That seems much more likely
given that they probably have enterprise use cases that would warrant
implementing it.

I'd be happy to take pull requests since I try to make pam-krb5 reasonably
completionist as a hobby (although be aware that it's a purely hobby
project at this point), but they would need to include changes to the ci
directory to set up the KDC and RADIUS server appropriately so that the
test suite could do a proper end-to-end integration test.

-- 
Russ Allbery (eagle at eyrie.org)             <https://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list