Configuring OTPOverRadius

Greg Hudson ghudson at MIT.EDU
Wed Aug 7 11:47:54 EDT 2013

On 08/07/2013 05:05 AM, Cornelius Kölbel wrote:
> The KDC log tells me, that the anonymous ticket was issued and the 
> ticked based on the users password. No OTP plugin involved.
> Aug 06 01:11:08 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18
> 17 16 23 25 26}) NEEDED_PREAUTH:
> cornelius at TEST.LSEXPERTS.DE for
> pre-authentication required Aug 06 01:11:50 krb-kdc
> krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16 23 25 26})
> ISSUE: authtime 1375744310, etypes {rep=18 tkt=18
> ses=18}, cornelius at TEST.LSEXPERTS.DE for

I'm not sure what you're missing.  If you successfully purged all of
the keys from cornelius with purgekeys -all, there should be no
password to authenticate with.  "getprinc cornelius" should say
"Number of keys: 0".

I think there's something else wrong as well, though.  Even with
long-term keys on the cornelius entry, OTP should be offered before
encrypted challenge and the client should prompt for it.

> So I rebuilt with
> ./configure CFLAGS=-g
> ...but it brought no additional output and insight. How do you
> recommend to increase debug and get the OTP Preauth tested?

Building with -g just makes it easier to run a debugger on the
binaries; it doesn't cause the binaries to generate additional output.

You can get additional information on the client side by running kinit
with the KRB5_TRACE environment variable set to a filename or to
/dev/stdout.  So, for example:

  KRB5_TRACE=/dev/stdout kinit -T /tmp/krb5cc_0 cornelius

The first thing to check is that you are successfully using FAST.
Near the beginning, you should see a line like:

  FAST armor key: aes256-cts/C54D

and a little later on you should see "Decoding FAST response", in a
context like this:

  Received error from KDC: -1765328359/Additional pre-authentication
  Decoding FAST response
  Processing preauth types: 136, 19, 141, 133, 137

The next question is what preauth types the KDC is offering.  The
types can be translated by looking at src/include/krb5/krb5.hin and
searching for "PADATA types".  In the above example, 136, 19, 133, and
137 are informational padata types, and 141 is OTP-CHALLENGE, which
causes the client to prompt for an OTP token value.  In your case, I
expect different output.

If you are using FAST and the KDC is not offering OTP, then you may
need more information from the KDC side, which unfortunately is not as
finely instrumented yet.  You might need to attach to the krb5kdc
process with gdb, set a breakpoint in otp_edata, and find out why it's
deciding not to produce a challenge for the preauth-required error.

More information about the krbdev mailing list