Configuring OTPOverRadius
Cornelius Kölbel
cornelius.koelbel at lsexperts.de
Thu Aug 8 09:21:12 EDT 2013
Am 07.08.2013 12:08, schrieb Dmitri Pal:
> On 08/07/2013 05:05 AM, Cornelius Kölbel wrote:
>> Am 05.08.2013 18:04, schrieb Greg Hudson:
>>> On 08/05/2013 11:26 AM, Cornelius Kölbel wrote:
>>>> But when doing a kinit on the client machine, the KDC still sends
>>>> a ERR_PREAUTH_REQUIRED and the user can authenticate with the
>>>> static password. No RADIUS traffic.
>>>>
>>>> What is the status of the OTP/Radius plugin? Did I miss something?
>>> A couple of things:
>>>
>>> * First, allowing OTP preauth does not prevent Kerberos password
>>> preauth (encrypted timestamp or encrypted challenge). If you want to
>>> prevent password preauth, you should remove the principal's keys with
>>> "purgekeys -all princname" (recently added on master).
>>>
>>> * Second, OTP preauth only works with FAST. We unfortunately don't
>>> have good documentation on deploying FAST yet, but the basic
>>> constraint is that you have to have tickets to get tickets. To get
>>> the initial "armor" tickets, you have two choices:
>>>
>>> 1. Use a keytab for a principal, such as a host principal, which has
>>> a random key and therefore does not need to require preauth.
>>>
>>> 2. Use anonymous PKINIT. We do have instructions on setting up
>>> anonymous PKINIT at:
>>>
>>> http://web.mit.edu/kerberos/krb5-latest/doc/admin/pkinit.html
>>>
>>> For testing purposes, once you have gotten the armor ticket one way or
>>> another, you can use "kinit -T armorccache princname" to get tickets
>>> using FAST.
>>>
>>> Russ Allbery's pam_krb5 supports "anon_fast" and "fast_ccache"
>>> options. (A "fast_keytab" option would also be interesting, but it
>>> doesn't appear to exist yet, and arguably some of that complexity should
>>> be moved into libkrb5.)
>> Hi Greg,
>> thanks for the answer.
>> I setup anonymous PKINIT and do a kinit -n, which works fine:
>>
>> root at krb-client:~# kinit -n
>> root at krb-client:~# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS
>>
>> Valid starting Expires Service principal
>> 06.08.2013 00:54:05 06.08.2013 10:54:05
>> krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE
>> renew until 07.08.2013 00:54:05
>>
>> Now I tried different things (purgekeys -all principal and not), but the
>> KDC will never do a RADIUS request.
>>
>> I do something like this:
>> kinit -T /tmp/krb5cc_0 cornelius
>>
>> (Do I need to add options with -X?)
>>
>> I have my otp section in /usr/local/var/krb5kdc/kdc.conf
>>
>> [otp]
>> linotp = {
>> server = 172.16.200.146:1812
>> secret = geheim
>> strip_realm = true
>> }
>>
>> and the principal cornelius has the otp string specified:
>>
>> kadmin.local: get_strings cornelius
>> otp: [{ type : linotp }]
>>
>>
>> The KDC log tells me, that the anonymous ticket was issued and the
>> ticked based on the users password. No OTP plugin involved.
>>
>> |Aug 06 01:11:06 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.16.200.148: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS at TEST.LSEXPERTS.DE for krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE, Additional pre-authentication required
>> Aug 06 01:11:06 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.16.200.148: ISSUE: authtime 1375744266, etypes {rep=18 tkt=18 ses=18}, WELLKNOWN/ANONYMOUS at TEST.LSEXPERTS.DE for krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE
>> Aug 06 01:11:06 krb-kdc krb5kdc[29207](info): closing down fd 17
>> Aug 06 01:11:08 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.16.200.148: NEEDED_PREAUTH: cornelius at TEST.LSEXPERTS.DE for krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE, Additional pre-authentication required
>> Aug 06 01:11:50 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.16.200.148: ISSUE: authtime 1375744310, etypes {rep=18 tkt=18 ses=18}, cornelius at TEST.LSEXPERTS.DE for krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE|
>>
>>
>> So I rebuilt with
>>
>> ./configure CFLAGS=-g
>>
>> ...but it brought no additional output and insight.
>> How do you recommend to increase debug and get the OTP Preauth tested?
>>
>> Kind regards
>> Cornelius
>>
>>
>>
>>
>> _______________________________________________
>> krbdev mailing list krbdev at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/krbdev
>
> Please take a look at this:
> http://fedoraproject.org/wiki/Features/FreeIPA_Two_Factor_Authentication
> IPA uses MIT Kerberos as is.
> That should help you to setup an integrated solution that works.
> Then you would be able to see what is missing in your setup with the
> pure Kerberos implementation.
>
Hi Dmitri,
is there any further documentation about how to configure OTP/Radius for
a user in FeeIPA?
I can not find anything about this following the links on
http://fedoraproject.org/wiki/Features/FreeIPA_Two_Factor_Authentication.
I installed FreeIPA on Fedora 19 and can not find anything, either.
Thanks a lot and kind regards
Cornelius
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20130808/e38a5651/attachment.bin
More information about the krbdev
mailing list