2FA with krb5

Charles Hedrick hedrick at rutgers.edu
Fri Oct 15 20:22:11 EDT 2021 

I’m not using that code now. When using it for real I would generate a special key tab with a user that had no permissions to do anything or use the host key tab depending upon the application.

Our staff and a few users have TOTP set for their account, so it has to work for everything. Logins use sssd, with its pam. We have a service with source in the same repo that keeps credentials renewed and kills them when the users last session is gone. In case we need to kinit I have a script that gets an anonymous credential and passes it to kinit -T.  I get the credential,from a service on the Kerberos server. It’s the same service that generates credentials for cron jobs . I could use kinit -n, but that creates a problem of distributing cents to all clients. The service is easier.

I don’t like key tabs for users because if someone manages to get a copy you have no way of knowing, and it can be used anywhere in the system.  So if a user wants to use cron jobs that need credentials, they register with the service. At that point a Pam module used by cron can get a credential,for them. It’s not forwardsble, and is locked to that hosts IP.  The primary use is so cron jobs can access files, since all our file systems are kerberized.

We are fully kerberized.  But one implementation constraint was that it should be invisible to users, except if they run cron jobs. That requires more work than it ought to.

> On Oct 15, 2021, at 5:50 PM, Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote:
> 
> 
>> 
>> We use TOTP. That allows us to tack the token on the end of the
>> password. That makes it easy to fix programs that expect a simple
>> password prompt.
>> 
>> In fact I have a wrapper that can be interposed around pretty much
>> anything use LD_PRELOAD.
>> [...]
> 
> Well, that answers PART of my question.  And I am guessing based on
> the README for that you use k5start to generate the FAST armor cache
> using the host key in the keytab?  But this seems kind of RADIUS
> specific; do you use TOTP for people who just use kinit?
> 
> --Ken

More information about the Kerberos mailing list