2FA with krb5

Simo Sorce simo at redhat.com
Thu Oct 7 15:06:14 EDT 2021


On Thu, 2021-10-07 at 11:50 -0700, Russ Allbery wrote:
> Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
> 
> > I am not sure of the client coverage of the OTP FAST factor, though.
> 
> For what it's worth, although my pam-krb5 module implements FAST including
> both keyed and anonymous FAST, it does not implement FAST OTP.  This is
> because (a) I didn't find any documentation of what I was supposed to do
> as a client (it's been years since I looked so this quite possibly has
> changed), and (b) attempting to set up a reasonable test environment
> looked painful.  In particular, there was (at the time, again haven't
> checked recently) a lot of hand-waving about exactly to set up the RADIUS
> part, since MIT Kerberos just treats it as an oracle.

It is somewhat documented, but see below.

> I haven't checked if sssd supports FAST OTP.  That seems much more likely
> given that they probably have enterprise use cases that would warrant
> implementing it.

It does, and FreeIPA implements the server part, so you can look there
for examples and testing capabilities if you are so inclined.

> I'd be happy to take pull requests since I try to make pam-krb5 reasonably
> completionist as a hobby (although be aware that it's a purely hobby
> project at this point), but they would need to include changes to the ci
> directory to set up the KDC and RADIUS server appropriately so that the
> test suite could do a proper end-to-end integration test.

HTH,
Simo.

-- 
Simo Sorce
RHEL Crypto Team
Red Hat, Inc






More information about the Kerberos mailing list