2FA with krb5
Simo Sorce
simo at redhat.com
Thu Oct 7 15:35:41 EDT 2021
On Thu, 2021-10-07 at 15:14 -0400, Ken Hornstein wrote:
> > Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
> >
> > > I am not sure of the client coverage of the OTP FAST factor,
> > > though.
> >
> > For what it's worth, although my pam-krb5 module implements FAST
> > including
> > both keyed and anonymous FAST, it does not implement FAST OTP.
> > This is
> > because (a) I didn't find any documentation of what I was supposed
> > to do
> > as a client (it's been years since I looked so this quite possibly
> > has
> > changed),
>
> Huh, I _kinda_ thought that if you had FAST going, you got FAST OTP
> (on
> the client at least) for free! Which shows what I know. Maybe it
> works
> already and you never tested it?
>
> > and (b) attempting to set up a reasonable test environment
> > looked painful. In particular, there was (at the time, again
> > haven't
> > checked recently) a lot of hand-waving about exactly to set up the
> > RADIUS
> > part, since MIT Kerberos just treats it as an oracle.
>
> Right, THIS is actually a huge problem. Like having to set up a
> RADIUS
> server? Ugh. It's also a problem for development! Like the only
> way I have found to effectively test preauth mechanisms is to do
> testing on one of our replica KDCs.
Starting an ad-hoc kdc is pretty easy, I have it done in the make check
phase in many small projects, including starting an ldap server, I
haven't tried radius, but hopefully starting a freeradius server is not
exceedingly hard either.
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
More information about the Kerberos
mailing list