Configuring OTPOverRadius

Greg Hudson ghudson at MIT.EDU
Mon Aug 5 12:04:55 EDT 2013

On 08/05/2013 11:26 AM, Cornelius Kölbel wrote:
> But when doing a kinit on the client machine, the KDC still sends
> a ERR_PREAUTH_REQUIRED and the user can authenticate with the
> static password. No RADIUS traffic.
> What is the status of the OTP/Radius plugin? Did I miss something?

A couple of things:

* First, allowing OTP preauth does not prevent Kerberos password
preauth (encrypted timestamp or encrypted challenge).  If you want to
prevent password preauth, you should remove the principal's keys with
"purgekeys -all princname" (recently added on master).

* Second, OTP preauth only works with FAST.  We unfortunately don't
have good documentation on deploying FAST yet, but the basic
constraint is that you have to have tickets to get tickets.  To get
the initial "armor" tickets, you have two choices:

  1. Use a keytab for a principal, such as a host principal, which has
a random key and therefore does not need to require preauth.

  2. Use anonymous PKINIT.  We do have instructions on setting up
anonymous PKINIT at:

For testing purposes, once you have gotten the armor ticket one way or
another, you can use "kinit -T armorccache princname" to get tickets
using FAST.

Russ Allbery's pam_krb5 supports "anon_fast" and "fast_ccache"
options.  (A "fast_keytab" option would also be interesting, but it
doesn't appear to exist yet, and arguably some of that complexity should
be moved into libkrb5.)

More information about the krbdev mailing list