2FA with krb5
Jochen Kellner
jochen at jochen.org
Thu Oct 7 15:29:57 EDT 2021
Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
>>I've been running Privacyidea (https://www.privacyidea.org/) for some
>>time to manage the tokens. Exposed the Application with RADIUS and told
>>FreeIPA to authenticate against RADIUS. Had some rough edges, but was
>>usable for me and is able to manage many kinds of tokens.
>
> So what's the _client_ look like? Specifically, are you doing FAST-OTP?
> If so, what client software are you using? Does this only work on
> systems with host keys, or do you do anonymous PKINIT?
I mostly use sssd and kinit. I'm not sure what sssd uses, but I remember
traces from kinit using PKINIT. These two clients worked well for me.
Other clients (java applications) had problems with OTP. See
https://lists.jboss.org/pipermail/keycloak-user/2018-January/012759.html
for the analysis we did there.
As you said - with the "right" clients it might work. Otherwise you
might be stuck.
Jochen
--
This space is intentionally left blank.
More information about the Kerberos
mailing list