help with OTP

Matt Zagrabelny mzagrabe at d.umn.edu
Tue Apr 25 18:07:23 EDT 2023


Making progress... but still need some pointers.

On Tue, Apr 25, 2023 at 4:01 PM BuzzSaw Code <buzzsaw.code at gmail.com> wrote:
>
> You don't need or want to know the anonymous principal's password -
> you should use randkey.  Getting a password prompt for those creds
> means something is missing in the config.

OK. Agreed.

>
> You probably need to set some of the PKINIT parameters since they seem

This seems to be a missing point in my configuration. I just followed:

https://web.mit.edu/kerberos/www/krb5-latest/doc/admin/pkinit.html

to attempt to get pkinit working for anonymous credentials.

I generated the CA and the KDC cert/key and updated the config file
(/etc/krb5kdc/kdc.conf):

---<cut>---
[kdcdefaults]
    kdc_ports = 750,88
    kdc_tcp_listen = 88

[realms]
    MYDOMAIN.COM = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        default_principal_flags = +preauth
        pkinit_identity = FILE:/etc/krb5kdc/kdc.pem,/etc/krb5kdc/kdckey.pem
    }
---<cut>---


> to be tied to FAST as well in your krb5.conf on your client:
>
> YOURREALM = {
>   pkinit_kdc_hostname = yourkdc.fqdn
> }
>

OK. Thanks! I added that to my /etc/krb5.conf.

$ kinit -n -c /tmp/somecache
Password for WELLKNOWN/ANONYMOUS at MYDOMAIN.COM:

In the KDC logs I see:

Apr 25 16:56:05 auth-test krb5kdc[226122]: AS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)})
2607:ea00:200:60::13: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS at MYDOMAIN.COM
for krbtgt/MYDOMAIN.COM at MYDOMAIN.COM, Additional pre-authentication
required
Apr 25 16:56:05 auth-test krb5kdc[226122]: closing down fd 14

I see the "additional pre-authentication required". I check the
anonymous principal:

kadmin.local:  get_principal WELLKNOWN/ANONYMOUS at MYDOMAIN.COM
Principal: WELLKNOWN/ANONYMOUS at MYDOMAIN.COM
Expiration date: [never]
Last password change: Tue Apr 25 16:04:45 CDT 2023
Password expiration date: [never]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Apr 25 16:04:45 CDT 2023 (root/admin at MYDOMAIN.COM)
Last successful authentication: Tue Apr 25 15:06:53 CDT 2023
Last failed authentication: Tue Apr 25 15:04:26 CDT 2023
Failed password attempts: 0
Number of keys: 2
Key: vno 3, aes256-cts-hmac-sha1-96
Key: vno 3, aes128-cts-hmac-sha1-96
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH

So I remove the preauth requirement:

kadmin.local:  modprinc -requires_preauth WELLKNOWN/ANONYMOUS at MYDOMAIN.COM
Principal "WELLKNOWN/ANONYMOUS at MYDOMAIN.COM" modified.

However, when I try:

$ kinit -n -c /tmp/somecache
Password for WELLKNOWN/ANONYMOUS at MYDOMAIN.COM:

I still get a password prompt and the KDC logs still say:

NEEDED_PREAUTH for the WELLKNOWN/ANONYMOUS at MYDOMAIN.COM principal.

Any ideas what I am missing to get pkinit working with anonymous credentials?

Thanks for the help!

-m



More information about the Kerberos mailing list