2FA with krb5

Greg Hudson ghudson at mit.edu
Fri Oct 8 11:45:51 EDT 2021


On 10/8/21 7:45 AM, Ken Hornstein wrote:
>> I mean, this might be dumb, but why not have the kdc able to speak to
>> pam modules directly?

> Kerberos is "I am going to take your password which I already know,
> convert it into an encryption key, and use it to verify your Kerberos
> request".  Kerberos needs to know the password/factor to make that
> happen, where the typical 2FA API only tells you "is this token good
> or not?".

I think Dan was assuming one of the cases where the KDC received a 2FA
value and needs an oracle, such as FAST OTP.

One concern is that PAM modules must operate synchronously (unless I'm
badly mistaken), so the KDC process would be blocked if the module has
to talk to a remote server.  You can get away with that if your
population of 2FA users is small and the oracle is fast, but OTP oracles
are often deliberately slow to answer.  We developed an async kdcpreauth
interface and async RADIUS code to address that problem for FAST OTP.


More information about the Kerberos mailing list