2FA with krb5
Ken Hornstein
kenh at cmf.nrl.navy.mil
Thu Oct 7 15:14:33 EDT 2021
>Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
>
>> I am not sure of the client coverage of the OTP FAST factor, though.
>
>For what it's worth, although my pam-krb5 module implements FAST including
>both keyed and anonymous FAST, it does not implement FAST OTP. This is
>because (a) I didn't find any documentation of what I was supposed to do
>as a client (it's been years since I looked so this quite possibly has
>changed),
Huh, I _kinda_ thought that if you had FAST going, you got FAST OTP (on
the client at least) for free! Which shows what I know. Maybe it works
already and you never tested it?
>and (b) attempting to set up a reasonable test environment
>looked painful. In particular, there was (at the time, again haven't
>checked recently) a lot of hand-waving about exactly to set up the RADIUS
>part, since MIT Kerberos just treats it as an oracle.
Right, THIS is actually a huge problem. Like having to set up a RADIUS
server? Ugh. It's also a problem for development! Like the only
way I have found to effectively test preauth mechanisms is to do
testing on one of our replica KDCs.
--Ken
More information about the Kerberos
mailing list