Configuring OTPOverRadius

Nathaniel McCallum npmccallum at redhat.com
Thu Aug 8 11:36:31 EDT 2013 

----- Original Message -----
> 
> Am 07.08.2013 12:08, schrieb Dmitri Pal:
> > On 08/07/2013 05:05 AM, Cornelius Kölbel wrote:
> >> Am 05.08.2013 18:04, schrieb Greg Hudson:
> >>> On 08/05/2013 11:26 AM, Cornelius Kölbel wrote:
> >>>> But when doing a kinit on the client machine, the KDC still sends
> >>>> a ERR_PREAUTH_REQUIRED and the user can authenticate with the
> >>>> static password. No RADIUS traffic.
> >>>>
> >>>> What is the status of the OTP/Radius plugin? Did I miss something?
> >>> A couple of things:
> >>>
> >>> * First, allowing OTP preauth does not prevent Kerberos password
> >>> preauth (encrypted timestamp or encrypted challenge).  If you want to
> >>> prevent password preauth, you should remove the principal's keys with
> >>> "purgekeys -all princname" (recently added on master).
> >>>
> >>> * Second, OTP preauth only works with FAST.  We unfortunately don't
> >>> have good documentation on deploying FAST yet, but the basic
> >>> constraint is that you have to have tickets to get tickets.  To get
> >>> the initial "armor" tickets, you have two choices:
> >>>
> >>>   1. Use a keytab for a principal, such as a host principal, which has
> >>> a random key and therefore does not need to require preauth.
> >>>
> >>>   2. Use anonymous PKINIT.  We do have instructions on setting up
> >>> anonymous PKINIT at:
> >>>
> >>>     http://web.mit.edu/kerberos/krb5-latest/doc/admin/pkinit.html
> >>>
> >>> For testing purposes, once you have gotten the armor ticket one way or
> >>> another, you can use "kinit -T armorccache princname" to get tickets
> >>> using FAST.
> >>>
> >>> Russ Allbery's pam_krb5 supports "anon_fast" and "fast_ccache"
> >>> options.  (A "fast_keytab" option would also be interesting, but it
> >>> doesn't appear to exist yet, and arguably some of that complexity should
> >>> be moved into libkrb5.)
> >> Hi Greg,
> >> thanks for the answer.
> >> I setup anonymous PKINIT and do a kinit -n, which works fine:
> >>
> >>   root at krb-client:~# kinit -n
> >>   root at krb-client:~# klist
> >>   Ticket cache: FILE:/tmp/krb5cc_0
> >>   Default principal: WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS
> >>
> >>   Valid starting       Expires              Service principal
> >>   06.08.2013 00:54:05  06.08.2013 10:54:05
> >> krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE
> >>       renew until 07.08.2013 00:54:05
> >>
> >> Now I tried different things (purgekeys -all principal and not), but the
> >> KDC will never do a RADIUS request.
> >>
> >> I do something like this:
> >>     kinit -T /tmp/krb5cc_0 cornelius
> >>
> >> (Do I need to add options with -X?)
> >>
> >> I have my otp section in /usr/local/var/krb5kdc/kdc.conf
> >>
> >>   [otp]
> >>   linotp = {
> >>           server = 172.16.200.146:1812
> >>           secret = geheim
> >>           strip_realm = true
> >>   }
> >>
> >> and the principal cornelius has the otp string specified:
> >>
> >>   kadmin.local:  get_strings cornelius
> >>   otp: [{ type : linotp }]
> >>
> >>
> >> The KDC log tells me, that the anonymous ticket was issued and the
> >> ticked based on the users password. No OTP plugin involved.
> >>
> >> |Aug 06 01:11:06 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16
> >> |23 25 26}) 172.16.200.148: NEEDED_PREAUTH:
> >> |WELLKNOWN/ANONYMOUS at TEST.LSEXPERTS.DE for
> >> |krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE, Additional
> >> |pre-authentication required
> >> Aug 06 01:11:06 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16
> >> 23 25 26}) 172.16.200.148: ISSUE: authtime 1375744266, etypes {rep=18
> >> tkt=18 ses=18}, WELLKNOWN/ANONYMOUS at TEST.LSEXPERTS.DE for
> >> krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE
> >> Aug 06 01:11:06 krb-kdc krb5kdc[29207](info): closing down fd 17
> >> Aug 06 01:11:08 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16
> >> 23 25 26}) 172.16.200.148: NEEDED_PREAUTH: cornelius at TEST.LSEXPERTS.DE
> >> for krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE, Additional
> >> pre-authentication required
> >> Aug 06 01:11:50 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16
> >> 23 25 26}) 172.16.200.148: ISSUE: authtime 1375744310, etypes {rep=18
> >> tkt=18 ses=18}, cornelius at TEST.LSEXPERTS.DE for
> >> krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE|
> >>
> >>
> >> So I rebuilt with
> >>
> >>    ./configure CFLAGS=-g
> >>
> >> ...but it brought no additional output and insight.
> >> How do you recommend to increase debug and get the OTP Preauth tested?
> >>
> >> Kind regards
> >> Cornelius
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> krbdev mailing list             krbdev at mit.edu
> >> https://mailman.mit.edu/mailman/listinfo/krbdev
> >
> > Please take a look at this:
> > http://fedoraproject.org/wiki/Features/FreeIPA_Two_Factor_Authentication
> > IPA uses MIT Kerberos as is.
> > That should help you to setup an integrated solution that works.
> > Then you would be able to see what is missing in your setup with the
> > pure Kerberos implementation.
> >
> Hi Dmitri,
> is there any further documentation about how to configure OTP/Radius for
> a user in FeeIPA?
> I can not find anything about this following the links on
> http://fedoraproject.org/wiki/Features/FreeIPA_Two_Factor_Authentication.
> I installed FreeIPA on Fedora 19 and can not find anything, either.
> Thanks a lot and kind regards
> Cornelius

The UI is under active development. You can test with some make-shift scripts as documented here: https://fedoraproject.org/wiki/Test_Day:2013-06-06_FreeIPA_Two_Factor_Authentication

Nathaniel

More information about the krbdev mailing list