help with OTP
Matt Zagrabelny
mzagrabe at d.umn.edu
Tue Apr 25 18:07:23 EDT 2023
Making progress... but still need some pointers.
On Tue, Apr 25, 2023 at 4:01 PM BuzzSaw Code <buzzsaw.code at gmail.com> wrote:
>
> You don't need or want to know the anonymous principal's password -
> you should use randkey. Getting a password prompt for those creds
> means something is missing in the config.
OK. Agreed.
>
> You probably need to set some of the PKINIT parameters since they seem
This seems to be a missing point in my configuration. I just followed:
https://web.mit.edu/kerberos/www/krb5-latest/doc/admin/pkinit.html
to attempt to get pkinit working for anonymous credentials.
I generated the CA and the KDC cert/key and updated the config file
(/etc/krb5kdc/kdc.conf):
---<cut>---
[kdcdefaults]
kdc_ports = 750,88
kdc_tcp_listen = 88
[realms]
MYDOMAIN.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
pkinit_identity = FILE:/etc/krb5kdc/kdc.pem,/etc/krb5kdc/kdckey.pem
}
---<cut>---
> to be tied to FAST as well in your krb5.conf on your client:
>
> YOURREALM = {
> pkinit_kdc_hostname = yourkdc.fqdn
> }
>
OK. Thanks! I added that to my /etc/krb5.conf.
$ kinit -n -c /tmp/somecache
Password for WELLKNOWN/ANONYMOUS at MYDOMAIN.COM:
In the KDC logs I see:
Apr 25 16:56:05 auth-test krb5kdc[226122]: AS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)})
2607:ea00:200:60::13: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS at MYDOMAIN.COM
for krbtgt/MYDOMAIN.COM at MYDOMAIN.COM, Additional pre-authentication
required
Apr 25 16:56:05 auth-test krb5kdc[226122]: closing down fd 14
I see the "additional pre-authentication required". I check the
anonymous principal:
kadmin.local: get_principal WELLKNOWN/ANONYMOUS at MYDOMAIN.COM
Principal: WELLKNOWN/ANONYMOUS at MYDOMAIN.COM
Expiration date: [never]
Last password change: Tue Apr 25 16:04:45 CDT 2023
Password expiration date: [never]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Apr 25 16:04:45 CDT 2023 (root/admin at MYDOMAIN.COM)
Last successful authentication: Tue Apr 25 15:06:53 CDT 2023
Last failed authentication: Tue Apr 25 15:04:26 CDT 2023
Failed password attempts: 0
Number of keys: 2
Key: vno 3, aes256-cts-hmac-sha1-96
Key: vno 3, aes128-cts-hmac-sha1-96
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
So I remove the preauth requirement:
kadmin.local: modprinc -requires_preauth WELLKNOWN/ANONYMOUS at MYDOMAIN.COM
Principal "WELLKNOWN/ANONYMOUS at MYDOMAIN.COM" modified.
However, when I try:
$ kinit -n -c /tmp/somecache
Password for WELLKNOWN/ANONYMOUS at MYDOMAIN.COM:
I still get a password prompt and the KDC logs still say:
NEEDED_PREAUTH for the WELLKNOWN/ANONYMOUS at MYDOMAIN.COM principal.
Any ideas what I am missing to get pkinit working with anonymous credentials?
Thanks for the help!
-m
More information about the Kerberos
mailing list