Configuring OTPOverRadius

Cornelius Kölbel cornelius.koelbel at lsexperts.de
Wed Aug 7 12:11:39 EDT 2013 

Am 07.08.2013 17:47, schrieb Greg Hudson:
> On 08/07/2013 05:05 AM, Cornelius Kölbel wrote:
>> The KDC log tells me, that the anonymous ticket was issued and the 
>> ticked based on the users password. No OTP plugin involved.
>>
>> Aug 06 01:11:08 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18
>> 17 16 23 25 26}) 172.16.200.148: NEEDED_PREAUTH:
>> cornelius at TEST.LSEXPERTS.DE for
>> krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE, Additional
>> pre-authentication required Aug 06 01:11:50 krb-kdc
>> krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16 23 25 26})
>> 172.16.200.148: ISSUE: authtime 1375744310, etypes {rep=18 tkt=18
>> ses=18}, cornelius at TEST.LSEXPERTS.DE for
>> krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE|
> I'm not sure what you're missing.  If you successfully purged all of
> the keys from cornelius with purgekeys -all, there should be no
> password to authenticate with.  "getprinc cornelius" should say
> "Number of keys: 0".
>
> I think there's something else wrong as well, though.  Even with
> long-term keys on the cornelius entry, OTP should be offered before
> encrypted challenge and the client should prompt for it.
>
>> So I rebuilt with
>>
>> ./configure CFLAGS=-g
>>
>> ...but it brought no additional output and insight. How do you
>> recommend to increase debug and get the OTP Preauth tested?
> Building with -g just makes it easier to run a debugger on the
> binaries; it doesn't cause the binaries to generate additional output.
>
> You can get additional information on the client side by running kinit
> with the KRB5_TRACE environment variable set to a filename or to
> /dev/stdout.  So, for example:
>
>   KRB5_TRACE=/dev/stdout kinit -T /tmp/krb5cc_0 cornelius
>
> The first thing to check is that you are successfully using FAST.
> Near the beginning, you should see a line like:
>
>   FAST armor key: aes256-cts/C54D
>
> and a little later on you should see "Decoding FAST response", in a
> context like this:
>
>   Received error from KDC: -1765328359/Additional pre-authentication
> required
>   Decoding FAST response
>   Processing preauth types: 136, 19, 141, 133, 137
>
> The next question is what preauth types the KDC is offering.  The
> types can be translated by looking at src/include/krb5/krb5.hin and
> searching for "PADATA types".  In the above example, 136, 19, 133, and
> 137 are informational padata types, and 141 is OTP-CHALLENGE, which
> causes the client to prompt for an OTP token value.  In your case, I
> expect different output.
>
> If you are using FAST and the KDC is not offering OTP, then you may
> need more information from the KDC side, which unfortunately is not as
> finely instrumented yet.  You might need to attach to the krb5kdc
> process with gdb, set a breakpoint in otp_edata, and find out why it's
> deciding not to produce a challenge for the preauth-required error.
>
thx again.

OK it is the KDC, that does not by any chance offer OTP:

root at krb-client:~# KRB5_TRACE=/dev/stdout kinit -T /tmp/krb5cc_0 cornelius
[2066] 1375891102.868326: Getting initial credentials for
cornelius at TEST.LSEXPERTS.DE
[2066] 1375891102.870456: FAST armor ccache: /tmp/krb5cc_0
[2066] 1375891102.870534: Retrieving
WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS ->
krb5_ccache_conf_data/fast_avail/krbtgt\/TEST.LSEXPERTS.DE\@TEST.LSEXPERTS.DE at X-CACHECONF:
from FILE:/tmp/krb5cc_0 with result: 0/Success
[2066] 1375891102.870543: Read config in FILE:/tmp/krb5cc_0 for
krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE: fast_avail: yes
[2066] 1375891102.870547: Using FAST due to armor ccache negotiation result
[2066] 1375891102.870561: Getting credentials
WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS ->
krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE using ccache FILE:/tmp/krb5cc_0
[2066] 1375891102.870596: Retrieving
WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS ->
krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE from FILE:/tmp/krb5cc_0 with
result: 0/Success
[2066] 1375891102.870619: Armor ccache sesion key: aes256-cts/EB8A
[2066] 1375891102.870657: Creating authenticator for
WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS ->
krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE, seqnum 0, subkey
aes256-cts/117D, session key aes256-cts/EB8A
[2066] 1375891102.870788: FAST armor key: aes256-cts/CD73
[2066] 1375891102.871318: Encoding request body and padata into FAST request
[2066] 1375891102.871623: Sending request (994 bytes) to TEST.LSEXPERTS.DE
[2066] 1375891102.871900: Resolving hostname kerberos
[2066] 1375891102.872420: Sending initial UDP request to dgram
172.16.200.138:88
[2066] 1375891102.873622: Received answer from dgram 172.16.200.138:88
[2066] 1375891102.875642: Response was not from master KDC
[2066] 1375891102.875979: Received error from KDC:
-1765328359/Additional pre-authentication required
[2066] 1375891102.876337: Decoding FAST response
[2066] 1375891102.876715: Processing preauth types: 16, 15, 14, 136,
147, 133, 137
[2066] 1375891102.876966: Received cookie: MIT
[2066] 1375891102.877368: PKINIT client has no configured identity;
giving up
[2066] 1375891102.877691: Preauth module pkinit (147) (info) returned:
0/Success
[2066] 1375891102.878080: PKINIT client has no configured identity;
giving up
[2066] 1375891102.878397: Preauth module pkinit (16) (real) returned:
22/Invalid argument
[2066] 1375891102.878707: PKINIT client has no configured identity;
giving up
[2066] 1375891102.879170: Preauth module pkinit (14) (real) returned:
22/Invalid argument
[2066] 1375891102.879420: PKINIT client has no configured identity;
giving up
[2066] 1375891102.879671: Preauth module pkinit (14) (real) returned:
22/Invalid argument
[2066] 1375891102.879923: Retrying AS request with master KDC
[2066] 1375891102.880150: Getting initial credentials for
cornelius at TEST.LSEXPERTS.DE
[2066] 1375891102.880379: FAST armor ccache: /tmp/krb5cc_0
[2066] 1375891102.880655: Retrieving
WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS ->
krb5_ccache_conf_data/fast_avail/krbtgt\/TEST.LSEXPERTS.DE\@TEST.LSEXPERTS.DE at X-CACHECONF:
from FILE:/tmp/krb5cc_0 with result: 0/Success
[2066] 1375891102.880828: Read config in FILE:/tmp/krb5cc_0 for
krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE: fast_avail: yes
[2066] 1375891102.880843: Using FAST due to armor ccache negotiation result
[2066] 1375891102.880868: Getting credentials
WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS ->
krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE using ccache FILE:/tmp/krb5cc_0
[2066] 1375891102.880906: Retrieving
WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS ->
krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE from FILE:/tmp/krb5cc_0 with
result: 0/Success
[2066] 1375891102.881107: Armor ccache sesion key: aes256-cts/EB8A
[2066] 1375891102.881154: Creating authenticator for
WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS ->
krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE, seqnum 0, subkey
aes256-cts/D9D1, session key aes256-cts/EB8A
[2066] 1375891102.881425: FAST armor key: aes256-cts/14FB
[2066] 1375891102.881461: Encoding request body and padata into FAST request
[2066] 1375891102.881533: Sending request (994 bytes) to
TEST.LSEXPERTS.DE (master)
kinit: Invalid argument while getting initial credentials

Obiously it is missing the OTP preauth plugin and only trying to do pkinit.
Is there any otp plugin activation I might have missed?

Yes, I changed the otp string to be a nicer json. :-)

Kind regards
Cornelius

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20130807/90402c63/attachment.bin

More information about the krbdev mailing list