Configuring OTPOverRadius

Cornelius Kölbel cornelius.koelbel at lsexperts.de
Wed Aug 7 05:05:24 EDT 2013 

Am 05.08.2013 18:04, schrieb Greg Hudson:
> On 08/05/2013 11:26 AM, Cornelius Kölbel wrote:
>> But when doing a kinit on the client machine, the KDC still sends
>> a ERR_PREAUTH_REQUIRED and the user can authenticate with the
>> static password. No RADIUS traffic.
>>
>> What is the status of the OTP/Radius plugin? Did I miss something?
> A couple of things:
>
> * First, allowing OTP preauth does not prevent Kerberos password
> preauth (encrypted timestamp or encrypted challenge).  If you want to
> prevent password preauth, you should remove the principal's keys with
> "purgekeys -all princname" (recently added on master).
>
> * Second, OTP preauth only works with FAST.  We unfortunately don't
> have good documentation on deploying FAST yet, but the basic
> constraint is that you have to have tickets to get tickets.  To get
> the initial "armor" tickets, you have two choices:
>
>   1. Use a keytab for a principal, such as a host principal, which has
> a random key and therefore does not need to require preauth.
>
>   2. Use anonymous PKINIT.  We do have instructions on setting up
> anonymous PKINIT at:
>
>     http://web.mit.edu/kerberos/krb5-latest/doc/admin/pkinit.html
>
> For testing purposes, once you have gotten the armor ticket one way or
> another, you can use "kinit -T armorccache princname" to get tickets
> using FAST.
>
> Russ Allbery's pam_krb5 supports "anon_fast" and "fast_ccache"
> options.  (A "fast_keytab" option would also be interesting, but it
> doesn't appear to exist yet, and arguably some of that complexity should
> be moved into libkrb5.)
Hi Greg,
thanks for the answer.
I setup anonymous PKINIT and do a kinit -n, which works fine:

  root at krb-client:~# kinit -n
  root at krb-client:~# klist
  Ticket cache: FILE:/tmp/krb5cc_0
  Default principal: WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS

  Valid starting       Expires              Service principal
  06.08.2013 00:54:05  06.08.2013 10:54:05 
krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE
      renew until 07.08.2013 00:54:05

Now I tried different things (purgekeys -all principal and not), but the
KDC will never do a RADIUS request.

I do something like this:
    kinit -T /tmp/krb5cc_0 cornelius

(Do I need to add options with -X?)

I have my otp section in /usr/local/var/krb5kdc/kdc.conf

  [otp]
  linotp = {
          server = 172.16.200.146:1812
          secret = geheim
          strip_realm = true
  }

and the principal cornelius has the otp string specified:

  kadmin.local:  get_strings cornelius
  otp: [{ type : linotp }]


The KDC log tells me, that the anonymous ticket was issued and the
ticked based on the users password. No OTP plugin involved.

|Aug 06 01:11:06 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.16.200.148: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS at TEST.LSEXPERTS.DE for krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE, Additional pre-authentication required
Aug 06 01:11:06 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.16.200.148: ISSUE: authtime 1375744266, etypes {rep=18 tkt=18 ses=18}, WELLKNOWN/ANONYMOUS at TEST.LSEXPERTS.DE for krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE
Aug 06 01:11:06 krb-kdc krb5kdc[29207](info): closing down fd 17
Aug 06 01:11:08 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.16.200.148: NEEDED_PREAUTH: cornelius at TEST.LSEXPERTS.DE for krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE, Additional pre-authentication required
Aug 06 01:11:50 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.16.200.148: ISSUE: authtime 1375744310, etypes {rep=18 tkt=18 ses=18}, cornelius at TEST.LSEXPERTS.DE for krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE|


So I rebuilt with

   ./configure CFLAGS=-g

...but it brought no additional output and insight.
How do you recommend to increase debug and get the OTP Preauth tested?

Kind regards
Cornelius


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20130807/d4303029/attachment.bin

More information about the krbdev mailing list