Configuring OTPOverRadius
Cornelius Kölbel
cornelius.koelbel at lsexperts.de
Thu Aug 8 07:39:45 EDT 2013
Am 07.08.2013 17:47, schrieb Greg Hudson:
> On 08/07/2013 05:05 AM, Cornelius Kölbel wrote:
>> The KDC log tells me, that the anonymous ticket was issued and the
>> ticked based on the users password. No OTP plugin involved.
>>
>> Aug 06 01:11:08 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18
>> 17 16 23 25 26}) 172.16.200.148: NEEDED_PREAUTH:
>> cornelius at TEST.LSEXPERTS.DE for
>> krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE, Additional
>> pre-authentication required Aug 06 01:11:50 krb-kdc
>> krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16 23 25 26})
>> 172.16.200.148: ISSUE: authtime 1375744310, etypes {rep=18 tkt=18
>> ses=18}, cornelius at TEST.LSEXPERTS.DE for
>> krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE|
> I'm not sure what you're missing. If you successfully purged all of
> the keys from cornelius with purgekeys -all, there should be no
> password to authenticate with. "getprinc cornelius" should say
> "Number of keys: 0".
>
> I think there's something else wrong as well, though. Even with
> long-term keys on the cornelius entry, OTP should be offered before
> encrypted challenge and the client should prompt for it.
>
>> So I rebuilt with
>>
>> ./configure CFLAGS=-g
>>
>> ...but it brought no additional output and insight. How do you
>> recommend to increase debug and get the OTP Preauth tested?
> Building with -g just makes it easier to run a debugger on the
> binaries; it doesn't cause the binaries to generate additional output.
>
> You can get additional information on the client side by running kinit
> with the KRB5_TRACE environment variable set to a filename or to
> /dev/stdout. So, for example:
>
> KRB5_TRACE=/dev/stdout kinit -T /tmp/krb5cc_0 cornelius
>
> The first thing to check is that you are successfully using FAST.
> Near the beginning, you should see a line like:
>
> FAST armor key: aes256-cts/C54D
>
> and a little later on you should see "Decoding FAST response", in a
> context like this:
>
> Received error from KDC: -1765328359/Additional pre-authentication
> required
> Decoding FAST response
> Processing preauth types: 136, 19, 141, 133, 137
>
> The next question is what preauth types the KDC is offering. The
> types can be translated by looking at src/include/krb5/krb5.hin and
> searching for "PADATA types". In the above example, 136, 19, 133, and
> 137 are informational padata types, and 141 is OTP-CHALLENGE, which
> causes the client to prompt for an OTP token value. In your case, I
> expect different output.
>
> If you are using FAST and the KDC is not offering OTP, then you may
> need more information from the KDC side, which unfortunately is not as
> finely instrumented yet. You might need to attach to the krb5kdc
> process with gdb, set a breakpoint in otp_edata, and find out why it's
> deciding not to produce a challenge for the preauth-required error.
>
Hi Greg,
I set the breakpoint to
(gdb) break plugins/preauth/otp/main.c:197
No source file named plugins/preauth/otp/main.c.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (plugins/preauth/otp/main.c:197) pending.
but it does not break - as if it did not load the otp preauth plugin at all.
Can I stop an break somewhere where otp should be loaded?
Kind regards
Cornelius
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20130808/532d1b69/attachment.bin
More information about the krbdev
mailing list