2FA with krb5

Ken Hornstein kenh at cmf.nrl.navy.mil
Thu Oct 7 15:14:33 EDT 2021


>Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
>
>> I am not sure of the client coverage of the OTP FAST factor, though.
>
>For what it's worth, although my pam-krb5 module implements FAST including
>both keyed and anonymous FAST, it does not implement FAST OTP.  This is
>because (a) I didn't find any documentation of what I was supposed to do
>as a client (it's been years since I looked so this quite possibly has
>changed),

Huh, I _kinda_ thought that if you had FAST going, you got FAST OTP (on
the client at least) for free!  Which shows what I know.  Maybe it works
already and you never tested it?

>and (b) attempting to set up a reasonable test environment
>looked painful.  In particular, there was (at the time, again haven't
>checked recently) a lot of hand-waving about exactly to set up the RADIUS
>part, since MIT Kerberos just treats it as an oracle.

Right, THIS is actually a huge problem.  Like having to set up a RADIUS
server?  Ugh.  It's also a problem for development!  Like the only
way I have found to effectively test preauth mechanisms is to do
testing on one of our replica KDCs.

--Ken


More information about the Kerberos mailing list