help with OTP

Matt Zagrabelny mzagrabe at d.umn.edu
Wed Apr 26 12:41:39 EDT 2023 

On Wed, Apr 26, 2023 at 11:29 AM Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote:
>
> >Since I am currently only interested in anonymous auth, I thought I
> >could skip that directive. But alas:
>
> Right, so, here's where my limited knowledge of FAST comes into play.
>
> As I understand it, you need to be able to use a trusted key to
> authenticate with the KDC to to create the FAST channel.  Your options
> are using an already-existing key (such as a host key) or anonymous
> PKINIT.  But the "anonymous" part of anonymous PKINIT only refers to the
> CLIENT being anonymous; you still need the client to be able to verify
> the KDC's certificate (otherwise anyone could pretend to be your KDC and
> you could end up sending your OTP output to them, which would be bad).

Agreed.

The docs that I referenced still made it seem that the anchor config
was somewhat optional for anonymous auth.

..but maybe I wasn't reading those lines with the proper mindset or context.

> That's the piece you were missing.  Once you have the FAST channel set
> up then you can use that to securely send the OTP response.
>
> I see in a later message you got it working; great!  Just FYI in case
> anyone else asks, the key line in that trace output was this:
>
> [1185088] 1682519355.427424: Processing preauth types: PA-PK-AS-REQ
> (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147),
> PA-ENCRYPTED-CHALLENGE (138), PA_AS_FRESHNESS (150), PA-FX-COOKIE
> (133), PA-FX-ERROR (137)
>
> You're missing PA-OTP-REQUEST, which was because (as you discovered)
> that plugin wasn't installed.  But that requires a lot of Kerberos
> knowledge to get to that point :-/

Yup!

> It does occur to me a useful addition to kinit might be a flag that
> means "authenticate using anonymous PKINIT and then use those
> credentials as a FAST armour credential cache" so you wouldn't have
> to muck around with juggling credential caches.

That would be great and would eliminate an impending shell alias for me:

alias kinit-otp='kinit -n -c /tmp/somecache; kinit -T /tmp/somecache'

Thanks for all the help, Ken (and BuzzSaw and Greg). It is very appreciated!

-m

More information about the Kerberos mailing list