[krbdev.mit.edu #7862] ksu broken with 2FA principals
Anders Kaseorg via RT
rt-comment at krbdev.mit.edu
Tue Feb 11 12:37:00 EST 2014
In krb5 1.12, ksu can no longer authenticate with my
andersk/root at ATHENA.MIT.EDU principal, which is secured with Duo
two-factor authentication:
$ ksu $USER -n andersk/root
WARNING: Your password may be exposed if you enter it here and are logged
in remotely using an unsecure (non-encrypted) channel.
Kerberos password for andersk/root at ATHENA.MIT.EDU: : [redacted]
SAM Authentication
Challenge from authentication server
Duo login: Passcode/option or press return for options: 1
ksu: Password incorrect
Goodbye
The same thing happens if I just press Enter or type anything else instead
of 1.
kinit still works, and ksu with non-2FA principals still works. ksu
worked correctly with 2FA in 1.11.3. A git bisect implicates this commit:
https://github.com/krb5/krb5/commit/f3458ed803ae97b6c6c7c63baeb82b26c4943d4c
Make empty passwords work via init_creds APIs
I’ve checked that it’s still broken in krb5-1.12.1-final and current
master (1e4bdcfe).
I’m running Ubuntu trusty amd64 (which just received 1.12 as an update two
days ago).
Anders
More information about the krb5-bugs
mailing list