2FA with krb5

[Ken Hornstein]

>I mean, this might be dumb, but why not have the kdc able to speak to
>pam modules directly?

All of those things are "send me a 2FA token and I will verify it".
(Also, the pam API really really wants to talk to a person, that's
the whole point of the "pam conversation" functions; I don't see how
you could make that work with a KDC).

Kerberos is "I am going to take your password which I already know,
convert it into an encryption key, and use it to verify your Kerberos
request".  Kerberos needs to know the password/factor to make that
happen, where the typical 2FA API only tells you "is this token good
or not?".

I am aware of one site that a long, long time ago had developed code
that you used the 2FA code as the Kerberos password directly; I never
thought that was a good idea myself as the 2FA code never had a lot
of entropy to serve as a good encryption key, but it worked for them.

If you want to use something like TOTP, then I think you're probably
going to have to write your own FAST OTP preauth module.  Which is
doable!  Although in practice it seems like any preauth module requires
access to the MIT Kerberos ASN.1 decoder/encoder API, which means
an internal dependency.  Sigh.

Sadly, at this stage right now if you want to effectively use 2FA with
Kerberos you're going to be stuck at the very minimum reading a lot of
source code and protocol documents to see if you have the application
coverage you need.

--Ken