2FA with krb5

Dan Mahoney danm at prime.gushi.org
Thu Oct 7 23:54:26 EDT 2021 

So, there’a an assumption here: all the kerberos 2fa stuff is really only used when you kinit.  And that extra protcol is the one where the three differing protocols come in.  Just like sshd’s Password Authentication vs Challenge Response Authentication, the client has to be *able* to ask for more info.

Here’s my use case.

I ssh in to things.  Sometimes from MacOS, sometimes from iPadOS.  Some of our things require a kerberos ticket *or* some other 2fa, typically used in cases where you can’t kinit.

If you’re using kerberos in some other way (say, normal HTTP basic auth via mod_auth_kerb), you don’t have the benefit of the 2fa.  (You can tell apache not to let that work, and simply have your users forced to use ticket auth, but that doesn’t work on Android, iOS, iPadOS, etc).  

HTTP Basic Auth has no support for asking for additional factors — you can, depending on the application, ask for a 2fa code, or use the “put your 2fa token at the end of the password, but I don’t know if keberos knows how to split this off — and continue allowing it when the 2fa value continues changing.

Same goes for GSSAPI Auth with sshd — if you’re using either the builtin KerberosAuthentication or the alternative, pam with pam_krb5, you can fall back to password authentication and then use something like pam-whatever-other-2fa provider to get the same net effect.  I don’t know what the KDC says in those cases, if it refuses to work at all because no 2fa was presented, or if it Just Works.

And Radius, I get it but...I know for example with SecurID, one of the things you can do is talk to the SecurID server over RADIUS, and I’m pretty sure other 2fa servers (mypw, cryptocard, etc) do the same thing.  Radius isn’t an unreasonable protocol, but there’s no RADIUS server for, say, Google Authenticator, or OPIE.

You could have your KDC talk ta a RADIUS server that’s talking to a PAM service that calls some sort of 2fa server.  That feels…duct-tapey.

I mean, this might be dumb, but why not have the kdc able to speak to pam modules directly?

-Dan

> On Oct 7, 2021, at 12:55 PM, Russ Allbery <eagle at eyrie.org> wrote:
> 
> Simo Sorce <simo at redhat.com> writes:
> 
>> Starting an ad-hoc kdc is pretty easy, I have it done in the make check
>> phase in many small projects, including starting an ldap server, I
>> haven't tried radius, but hopefully starting a freeradius server is not
>> exceedingly hard either.
> 
> Yeah, for the record it was just the RADIUS bit that I didn't already have
> working.  If anyone is curious:
> 
>    https://github.com/rra/pam-krb5/tree/master/ci
> 
> contains scripts that will set up either an MIT Kerberos KDC or a Heimdal
> KDC with PKINIT configured and a variety of keytabs and whatnot premade.
> They are used via GitHub Actions here:
> 
>    https://github.com/rra/pam-krb5/blob/master/.github/workflows/build.yaml
> 
> -- 
> Russ Allbery (eagle at eyrie.org)             <https://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list