2FA with krb5

Jochen Kellner jochen at jochen.org
Thu Oct 7 15:29:57 EDT 2021


Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:

>>I've been running Privacyidea (https://www.privacyidea.org/) for some
>>time to manage the tokens. Exposed the Application with RADIUS and told
>>FreeIPA to authenticate against RADIUS. Had some rough edges, but was
>>usable for me and is able to manage many kinds of tokens. 
>
> So what's the _client_ look like?  Specifically, are you doing FAST-OTP?
> If so, what client software are you using?  Does this only work on
> systems with host keys, or do you do anonymous PKINIT?

I mostly use sssd and kinit. I'm not sure what sssd uses, but I remember
traces from kinit using PKINIT. These two clients worked well for me.

Other clients (java applications) had problems with OTP. See
https://lists.jboss.org/pipermail/keycloak-user/2018-January/012759.html
for the analysis we did there.

As you said - with the "right" clients it might work. Otherwise you
might be stuck.

Jochen

-- 
This space is intentionally left blank.


More information about the Kerberos mailing list