help with OTP

Matt Zagrabelny mzagrabe at d.umn.edu
Mon Apr 24 17:42:44 EDT 2023


Greetings Kerberos folks,

I am attempting to understand a bit more of the OTP support in MIT's
Kerberos implementation.

I'm running Debian stable:

ii  krb5-kdc       1.18.3-6+deb11u3

I'm looking at the docs at:

https://web.mit.edu/kerberos/krb5-1.13/doc/admin/conf_files/kdc_conf.html#otp

The docs say about the "secret":

---<cut>---
This tag indicates a filename (which may be relative to
LOCALSTATEDIR/krb5kdc) containing the secret used to encrypt the
RADIUS packets. The secret should appear in the first line of the file
by itself; leading and trailing whitespace on the line will be
removed. If the value of server is a Unix domain socket address, this
tag is optional, and an empty secret will be used if it is not
specified. Otherwise, this tag is required.
---<cut>---

which seems to indicate that the secret should be a path to a file.

The example:

---<cut>---
[otp]
    MyRemoteTokenType = {
        server = radius.mydomain.com:1812
        secret = SEmfiajf42$
        timeout = 15
        retries = 5
        strip_realm = true
    }
---<cut>---

make it look like you can put the secret directly into the
configuration file. There seems to be a little bit of disconnect
between those two parts of the docs. I just wanted to point it out if
it is helpful.

I've tried to configure my kdc.conf with the required otp stanzas:

[otp]
    MyRemoteTokenType = {
        server = radius.mydomain.com
        secret = super_secret_with_radiusd
        timeout = 15
        retries = 5
        strip_realm = true
    }

and I've set the otp string for my principal:

kadmin.local:  set_string bob at MYDOMAIN.COM otp
[{"type":"MyRemoteTokenType ","username":"bob"}]
Attribute set for principal "bob at MYDOMAIN.COM".

When I kinit, I don't see any traffic go to the radius server (neither
in the kdc logs, nor in the radiusd logs) and  type my password for
kerberos, which is different than my radius password, and I get the
TGT:

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: bob at MYDOMAIN.COM

Valid starting       Expires              Service principal
04/24/2023 16:17:02  04/25/2023 02:17:02  krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
        renew until 04/25/2023 16:16:50

Any ideas what I am missing, or what steps I could take to debug this further?

Thanks for the help!

-m


More information about the Kerberos mailing list