Configuring OTPOverRadius

Cornelius Kölbel cornelius.koelbel at lsexperts.de
Wed Aug 7 07:44:54 EDT 2013


Am 07.08.2013 12:08, schrieb Dmitri Pal:
> On 08/07/2013 05:05 AM, Cornelius Kölbel wrote:
>> Am 05.08.2013 18:04, schrieb Greg Hudson:
>>> On 08/05/2013 11:26 AM, Cornelius Kölbel wrote:
>>>> But when doing a kinit on the client machine, the KDC still sends
>>>> a ERR_PREAUTH_REQUIRED and the user can authenticate with the
>>>> static password. No RADIUS traffic.
>>>>
>>>> What is the status of the OTP/Radius plugin? Did I miss something?
>>> A couple of things:
>>>
>>> * First, allowing OTP preauth does not prevent Kerberos password
>>> preauth (encrypted timestamp or encrypted challenge).  If you want to
>>> prevent password preauth, you should remove the principal's keys with
>>> "purgekeys -all princname" (recently added on master).
>>>
>>> * Second, OTP preauth only works with FAST.  We unfortunately don't
>>> have good documentation on deploying FAST yet, but the basic
>>> constraint is that you have to have tickets to get tickets.  To get
>>> the initial "armor" tickets, you have two choices:
>>>
>>>   1. Use a keytab for a principal, such as a host principal, which has
>>> a random key and therefore does not need to require preauth.
>>>
>>>   2. Use anonymous PKINIT.  We do have instructions on setting up
>>> anonymous PKINIT at:
>>>
>>>     http://web.mit.edu/kerberos/krb5-latest/doc/admin/pkinit.html
>>>
>>> For testing purposes, once you have gotten the armor ticket one way or
>>> another, you can use "kinit -T armorccache princname" to get tickets
>>> using FAST.
>>>
>>> Russ Allbery's pam_krb5 supports "anon_fast" and "fast_ccache"
>>> options.  (A "fast_keytab" option would also be interesting, but it
>>> doesn't appear to exist yet, and arguably some of that complexity should
>>> be moved into libkrb5.)
>> Hi Greg,
>> thanks for the answer.
>> I setup anonymous PKINIT and do a kinit -n, which works fine:
>>
>>   root at krb-client:~# kinit -n
>>   root at krb-client:~# klist
>>   Ticket cache: FILE:/tmp/krb5cc_0
>>   Default principal: WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS
>>
>>   Valid starting       Expires              Service principal
>>   06.08.2013 00:54:05  06.08.2013 10:54:05 
>> krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE
>>       renew until 07.08.2013 00:54:05
>>
>> Now I tried different things (purgekeys -all principal and not), but the
>> KDC will never do a RADIUS request.
>>
>> I do something like this:
>>     kinit -T /tmp/krb5cc_0 cornelius
>>
>> (Do I need to add options with -X?)
>>
>> I have my otp section in /usr/local/var/krb5kdc/kdc.conf
>>
>>   [otp]
>>   linotp = {
>>           server = 172.16.200.146:1812
>>           secret = geheim
>>           strip_realm = true
>>   }
>>
>> and the principal cornelius has the otp string specified:
>>
>>   kadmin.local:  get_strings cornelius
>>   otp: [{ type : linotp }]
>>
>>
>> The KDC log tells me, that the anonymous ticket was issued and the
>> ticked based on the users password. No OTP plugin involved.
>>
>> |Aug 06 01:11:06 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.16.200.148: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS at TEST.LSEXPERTS.DE for krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE, Additional pre-authentication required
>> Aug 06 01:11:06 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.16.200.148: ISSUE: authtime 1375744266, etypes {rep=18 tkt=18 ses=18}, WELLKNOWN/ANONYMOUS at TEST.LSEXPERTS.DE for krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE
>> Aug 06 01:11:06 krb-kdc krb5kdc[29207](info): closing down fd 17
>> Aug 06 01:11:08 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.16.200.148: NEEDED_PREAUTH: cornelius at TEST.LSEXPERTS.DE for krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE, Additional pre-authentication required
>> Aug 06 01:11:50 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.16.200.148: ISSUE: authtime 1375744310, etypes {rep=18 tkt=18 ses=18}, cornelius at TEST.LSEXPERTS.DE for krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE|
>>
>>
>> So I rebuilt with
>>
>>    ./configure CFLAGS=-g
>>
>> ...but it brought no additional output and insight.
>> How do you recommend to increase debug and get the OTP Preauth tested?
>>
>> Kind regards
>> Cornelius
>>
>>
>>
>>
>> _______________________________________________
>> krbdev mailing list             krbdev at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/krbdev
>
> Please take a look at this:
> http://fedoraproject.org/wiki/Features/FreeIPA_Two_Factor_Authentication
> IPA uses MIT Kerberos as is.
> That should help you to setup an integrated solution that works.
> Then you would be able to see what is missing in your setup with the
> pure Kerberos implementation.
>
I planned to take a look at FreeIPA afterwards on Fedora 19.
kind regards
Cornelius

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20130807/da3425ff/attachment.bin


More information about the krbdev mailing list