2FA with krb5

Simo Sorce simo at redhat.com
Thu Oct 7 15:35:41 EDT 2021


On Thu, 2021-10-07 at 15:14 -0400, Ken Hornstein wrote:
> > Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
> > 
> > > I am not sure of the client coverage of the OTP FAST factor,
> > > though.
> > 
> > For what it's worth, although my pam-krb5 module implements FAST
> > including
> > both keyed and anonymous FAST, it does not implement FAST OTP. 
> > This is
> > because (a) I didn't find any documentation of what I was supposed
> > to do
> > as a client (it's been years since I looked so this quite possibly
> > has
> > changed),
> 
> Huh, I _kinda_ thought that if you had FAST going, you got FAST OTP
> (on
> the client at least) for free!  Which shows what I know.  Maybe it
> works
> already and you never tested it?
> 
> > and (b) attempting to set up a reasonable test environment
> > looked painful.  In particular, there was (at the time, again
> > haven't
> > checked recently) a lot of hand-waving about exactly to set up the
> > RADIUS
> > part, since MIT Kerberos just treats it as an oracle.
> 
> Right, THIS is actually a huge problem.  Like having to set up a
> RADIUS
> server?  Ugh.  It's also a problem for development!  Like the only
> way I have found to effectively test preauth mechanisms is to do
> testing on one of our replica KDCs.

Starting an ad-hoc kdc is pretty easy, I have it done in the make check
phase in many small projects, including starting an ldap server, I
haven't tried radius, but hopefully starting a freeradius server is not
exceedingly hard either.

Simo.

-- 
Simo Sorce
RHEL Crypto Team
Red Hat, Inc






More information about the Kerberos mailing list