help with OTP
Matt Zagrabelny
mzagrabe at d.umn.edu
Tue Apr 25 16:16:22 EDT 2023
Hi BuzzSaw,
Thanks for the reply!
On Tue, Apr 25, 2023 at 1:33 PM BuzzSaw Code <buzzsaw.code at gmail.com> wrote:
>
> What we did:
> - in your kdc.conf:
>
> [otp]
> DEFAULT = {
> server = localhost6:1812
> secret = secrettfile
> strip_realm = true
> }
>
> This assumes your kdc runs a local RADIUS server that will answer up
> OTP requests. Change as needed.
Got it.
>
>
> - create the file 'secretfile' with your shared RADIUS secret in the
> same directory as kdc.conf
>
> - kadmin -q 'addprinc -randkey WELLKNOWN/ANONYMOUS'
-randkey. Do I need to know what the passphrase is?
>
> - kadmin -q 'modprinc +requires_preauth user
> - kadmin -q 'setstr user otp []'
>
> Testing:
>
> Get an initial TGT with anonymous auth
> - kinit -n -c /tmp/somecache
I tried this, but it prompted me:
$ kinit -n -c /tmp/somecache
Password for WELLKNOWN/ANONYMOUS at MYDOMAIN.COM:
kinit: Password incorrect while getting initial credentials
...so I went and changed the password for the WELLKNOWN/ANONYMOUS
principal. Then...
$ kinit -n -c /tmp/somecache
Password for WELLKNOWN/ANONYMOUS at MYDOMAIN.COM:
kinit: Reply has wrong form of session key for anonymous request while
getting initial credentials
I've never requested anonymous credentials before.
Does anyone know how to correctly request them?
Thanks,
-m
More information about the Kerberos
mailing list