Configuring OTPOverRadius

Dmitri Pal dpal at redhat.com
Wed Aug 7 06:08:09 EDT 2013 

On 08/07/2013 05:05 AM, Cornelius Kölbel wrote:
> Am 05.08.2013 18:04, schrieb Greg Hudson:
>> On 08/05/2013 11:26 AM, Cornelius Kölbel wrote:
>>> But when doing a kinit on the client machine, the KDC still sends
>>> a ERR_PREAUTH_REQUIRED and the user can authenticate with the
>>> static password. No RADIUS traffic.
>>>
>>> What is the status of the OTP/Radius plugin? Did I miss something?
>> A couple of things:
>>
>> * First, allowing OTP preauth does not prevent Kerberos password
>> preauth (encrypted timestamp or encrypted challenge).  If you want to
>> prevent password preauth, you should remove the principal's keys with
>> "purgekeys -all princname" (recently added on master).
>>
>> * Second, OTP preauth only works with FAST.  We unfortunately don't
>> have good documentation on deploying FAST yet, but the basic
>> constraint is that you have to have tickets to get tickets.  To get
>> the initial "armor" tickets, you have two choices:
>>
>>   1. Use a keytab for a principal, such as a host principal, which has
>> a random key and therefore does not need to require preauth.
>>
>>   2. Use anonymous PKINIT.  We do have instructions on setting up
>> anonymous PKINIT at:
>>
>>     http://web.mit.edu/kerberos/krb5-latest/doc/admin/pkinit.html
>>
>> For testing purposes, once you have gotten the armor ticket one way or
>> another, you can use "kinit -T armorccache princname" to get tickets
>> using FAST.
>>
>> Russ Allbery's pam_krb5 supports "anon_fast" and "fast_ccache"
>> options.  (A "fast_keytab" option would also be interesting, but it
>> doesn't appear to exist yet, and arguably some of that complexity should
>> be moved into libkrb5.)
> Hi Greg,
> thanks for the answer.
> I setup anonymous PKINIT and do a kinit -n, which works fine:
>
>   root at krb-client:~# kinit -n
>   root at krb-client:~# klist
>   Ticket cache: FILE:/tmp/krb5cc_0
>   Default principal: WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS
>
>   Valid starting       Expires              Service principal
>   06.08.2013 00:54:05  06.08.2013 10:54:05 
> krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE
>       renew until 07.08.2013 00:54:05
>
> Now I tried different things (purgekeys -all principal and not), but the
> KDC will never do a RADIUS request.
>
> I do something like this:
>     kinit -T /tmp/krb5cc_0 cornelius
>
> (Do I need to add options with -X?)
>
> I have my otp section in /usr/local/var/krb5kdc/kdc.conf
>
>   [otp]
>   linotp = {
>           server = 172.16.200.146:1812
>           secret = geheim
>           strip_realm = true
>   }
>
> and the principal cornelius has the otp string specified:
>
>   kadmin.local:  get_strings cornelius
>   otp: [{ type : linotp }]
>
>
> The KDC log tells me, that the anonymous ticket was issued and the
> ticked based on the users password. No OTP plugin involved.
>
> |Aug 06 01:11:06 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.16.200.148: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS at TEST.LSEXPERTS.DE for krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE, Additional pre-authentication required
> Aug 06 01:11:06 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.16.200.148: ISSUE: authtime 1375744266, etypes {rep=18 tkt=18 ses=18}, WELLKNOWN/ANONYMOUS at TEST.LSEXPERTS.DE for krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE
> Aug 06 01:11:06 krb-kdc krb5kdc[29207](info): closing down fd 17
> Aug 06 01:11:08 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.16.200.148: NEEDED_PREAUTH: cornelius at TEST.LSEXPERTS.DE for krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE, Additional pre-authentication required
> Aug 06 01:11:50 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.16.200.148: ISSUE: authtime 1375744310, etypes {rep=18 tkt=18 ses=18}, cornelius at TEST.LSEXPERTS.DE for krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE|
>
>
> So I rebuilt with
>
>    ./configure CFLAGS=-g
>
> ...but it brought no additional output and insight.
> How do you recommend to increase debug and get the OTP Preauth tested?
>
> Kind regards
> Cornelius
>
>
>
>
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev


Please take a look at this:
http://fedoraproject.org/wiki/Features/FreeIPA_Two_Factor_Authentication
IPA uses MIT Kerberos as is.
That should help you to setup an integrated solution that works.
Then you would be able to see what is missing in your setup with the
pure Kerberos implementation.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the krbdev mailing list