Configuring OTPOverRadius

Wed Aug 7 11:38:13 EDT 2013

On Wed, 2013-08-07 at 11:05 +0200, Cornelius Kölbel wrote:
> Am 05.08.2013 18:04, schrieb Greg Hudson:
> > On 08/05/2013 11:26 AM, Cornelius Kölbel wrote:
> >> But when doing a kinit on the client machine, the KDC still sends
> >> a ERR_PREAUTH_REQUIRED and the user can authenticate with the
> >> static password. No RADIUS traffic.
> >>
> >> What is the status of the OTP/Radius plugin? Did I miss something?
> > A couple of things:
> >
> > * First, allowing OTP preauth does not prevent Kerberos password
> > preauth (encrypted timestamp or encrypted challenge).  If you want to
> > prevent password preauth, you should remove the principal's keys with
> > "purgekeys -all princname" (recently added on master).
> >
> > * Second, OTP preauth only works with FAST.  We unfortunately don't
> > have good documentation on deploying FAST yet, but the basic
> > constraint is that you have to have tickets to get tickets.  To get
> > the initial "armor" tickets, you have two choices:
> >
> >   1. Use a keytab for a principal, such as a host principal, which has
> > a random key and therefore does not need to require preauth.
> >
> >   2. Use anonymous PKINIT.  We do have instructions on setting up
> > anonymous PKINIT at:
> >
> >     http://web.mit.edu/kerberos/krb5-latest/doc/admin/pkinit.html
> >
> > For testing purposes, once you have gotten the armor ticket one way or
> > another, you can use "kinit -T armorccache princname" to get tickets
> > using FAST.
> >
> > Russ Allbery's pam_krb5 supports "anon_fast" and "fast_ccache"
> > options.  (A "fast_keytab" option would also be interesting, but it
> > doesn't appear to exist yet, and arguably some of that complexity should
> > be moved into libkrb5.)
> Hi Greg,
> thanks for the answer.
> I setup anonymous PKINIT and do a kinit -n, which works fine:
> 
>   root at krb-client:~# kinit -n
>   root at krb-client:~# klist
>   Ticket cache: FILE:/tmp/krb5cc_0
>   Default principal: WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS
> 
>   Valid starting       Expires              Service principal
>   06.08.2013 00:54:05  06.08.2013 10:54:05 
> krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE
>       renew until 07.08.2013 00:54:05
> 
> Now I tried different things (purgekeys -all principal and not), but the
> KDC will never do a RADIUS request.
> 
> I do something like this:
>     kinit -T /tmp/krb5cc_0 cornelius
> 
> (Do I need to add options with -X?)
> 
> I have my otp section in /usr/local/var/krb5kdc/kdc.conf
> 
>   [otp]
>   linotp = {
>           server = 172.16.200.146:1812
>           secret = geheim
>           strip_realm = true
>   }
> 
> and the principal cornelius has the otp string specified:
> 
>   kadmin.local:  get_strings cornelius
>   otp: [{ type : linotp }]

If there are no quote characters in the above string, this is invalid
JSON and will cause the config step to fail.

Nathaniel