Configuring OTPOverRadius
Cornelius Kölbel
cornelius.koelbel at lsexperts.de
Fri Aug 9 09:44:48 EDT 2013
Am 08.08.2013 17:36, schrieb Nathaniel McCallum:
> ----- Original Message -----
>> Am 07.08.2013 12:08, schrieb Dmitri Pal:
>>> On 08/07/2013 05:05 AM, Cornelius Kölbel wrote:
>>>> Am 05.08.2013 18:04, schrieb Greg Hudson:
>>>>> On 08/05/2013 11:26 AM, Cornelius Kölbel wrote:
>>>>>> But when doing a kinit on the client machine, the KDC still sends
>>>>>> a ERR_PREAUTH_REQUIRED and the user can authenticate with the
>>>>>> static password. No RADIUS traffic.
>>>>>>
>>>>>> What is the status of the OTP/Radius plugin? Did I miss something?
>>>>> A couple of things:
>>>>>
>>>>> * First, allowing OTP preauth does not prevent Kerberos password
>>>>> preauth (encrypted timestamp or encrypted challenge). If you want to
>>>>> prevent password preauth, you should remove the principal's keys with
>>>>> "purgekeys -all princname" (recently added on master).
>>>>>
>>>>> * Second, OTP preauth only works with FAST. We unfortunately don't
>>>>> have good documentation on deploying FAST yet, but the basic
>>>>> constraint is that you have to have tickets to get tickets. To get
>>>>> the initial "armor" tickets, you have two choices:
>>>>>
>>>>> 1. Use a keytab for a principal, such as a host principal, which has
>>>>> a random key and therefore does not need to require preauth.
>>>>>
>>>>> 2. Use anonymous PKINIT. We do have instructions on setting up
>>>>> anonymous PKINIT at:
>>>>>
>>>>> http://web.mit.edu/kerberos/krb5-latest/doc/admin/pkinit.html
>>>>>
>>>>> For testing purposes, once you have gotten the armor ticket one way or
>>>>> another, you can use "kinit -T armorccache princname" to get tickets
>>>>> using FAST.
>>>>>
>>>>> Russ Allbery's pam_krb5 supports "anon_fast" and "fast_ccache"
>>>>> options. (A "fast_keytab" option would also be interesting, but it
>>>>> doesn't appear to exist yet, and arguably some of that complexity should
>>>>> be moved into libkrb5.)
>>>> Hi Greg,
>>>> thanks for the answer.
>>>> I setup anonymous PKINIT and do a kinit -n, which works fine:
>>>>
>>>> root at krb-client:~# kinit -n
>>>> root at krb-client:~# klist
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>> Default principal: WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS
>>>>
>>>> Valid starting Expires Service principal
>>>> 06.08.2013 00:54:05 06.08.2013 10:54:05
>>>> krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE
>>>> renew until 07.08.2013 00:54:05
>>>>
>>>> Now I tried different things (purgekeys -all principal and not), but the
>>>> KDC will never do a RADIUS request.
>>>>
>>>> I do something like this:
>>>> kinit -T /tmp/krb5cc_0 cornelius
>>>>
>>>> (Do I need to add options with -X?)
>>>>
>>>> I have my otp section in /usr/local/var/krb5kdc/kdc.conf
>>>>
>>>> [otp]
>>>> linotp = {
>>>> server = 172.16.200.146:1812
>>>> secret = geheim
>>>> strip_realm = true
>>>> }
>>>>
>>>> and the principal cornelius has the otp string specified:
>>>>
>>>> kadmin.local: get_strings cornelius
>>>> otp: [{ type : linotp }]
>>>>
>>>>
>>>> The KDC log tells me, that the anonymous ticket was issued and the
>>>> ticked based on the users password. No OTP plugin involved.
>>>>
>>>> |Aug 06 01:11:06 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16
>>>> |23 25 26}) 172.16.200.148: NEEDED_PREAUTH:
>>>> |WELLKNOWN/ANONYMOUS at TEST.LSEXPERTS.DE for
>>>> |krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE, Additional
>>>> |pre-authentication required
>>>> Aug 06 01:11:06 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16
>>>> 23 25 26}) 172.16.200.148: ISSUE: authtime 1375744266, etypes {rep=18
>>>> tkt=18 ses=18}, WELLKNOWN/ANONYMOUS at TEST.LSEXPERTS.DE for
>>>> krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE
>>>> Aug 06 01:11:06 krb-kdc krb5kdc[29207](info): closing down fd 17
>>>> Aug 06 01:11:08 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16
>>>> 23 25 26}) 172.16.200.148: NEEDED_PREAUTH: cornelius at TEST.LSEXPERTS.DE
>>>> for krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE, Additional
>>>> pre-authentication required
>>>> Aug 06 01:11:50 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16
>>>> 23 25 26}) 172.16.200.148: ISSUE: authtime 1375744310, etypes {rep=18
>>>> tkt=18 ses=18}, cornelius at TEST.LSEXPERTS.DE for
>>>> krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE|
>>>>
>>>>
>>>> So I rebuilt with
>>>>
>>>> ./configure CFLAGS=-g
>>>>
>>>> ...but it brought no additional output and insight.
>>>> How do you recommend to increase debug and get the OTP Preauth tested?
>>>>
>>>> Kind regards
>>>> Cornelius
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> krbdev mailing list krbdev at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>> Please take a look at this:
>>> http://fedoraproject.org/wiki/Features/FreeIPA_Two_Factor_Authentication
>>> IPA uses MIT Kerberos as is.
>>> That should help you to setup an integrated solution that works.
>>> Then you would be able to see what is missing in your setup with the
>>> pure Kerberos implementation.
>>>
>> Hi Dmitri,
>> is there any further documentation about how to configure OTP/Radius for
>> a user in FeeIPA?
>> I can not find anything about this following the links on
>> http://fedoraproject.org/wiki/Features/FreeIPA_Two_Factor_Authentication.
>> I installed FreeIPA on Fedora 19 and can not find anything, either.
>> Thanks a lot and kind regards
>> Cornelius
> The UI is under active development. You can test with some make-shift scripts as documented here: https://fedoraproject.org/wiki/Test_Day:2013-06-06_FreeIPA_Two_Factor_Authentication
>
> Nathaniel
Hi Nathanial,
thanks a lot.
Good news at the start: I managed to successfully do the otpoverradius
with FreeIPA on Fedora 19.
But I realized one little issue (which is not important for me):
I installed Fedora19 from scratch.
Installed IPA (without DNS) according to
https://fedoraproject.org/wiki/QA:Testcase_freeipav3_installation
Now followed: https://fedoraproject.org/wiki/QA:Testcase_freeipav3_radius
First I get an error in the krb5kdc.log:
preauth(otp) verify failed: Access denied
I finally realized that this is an SELinux problem:
/usr/sbin/krb5kdc tries to write to a sock_file DEFAULT.socket.
When I do not start krb5kdc as a daemon on system startup but start
krb5kdc from the command line, everything works fine
(Or obviously if I had disabled or adapted SELinux policy)
@Greg and Dmitri:
After playing with the IPA installation I returned to my other machines
with the native MIT Kerberos installation.
*Gaaaah* and besides restarting the whole machine I am not able to tell
what has changed. :-/ But it works now, too!
Thanks a lot for all assistance and patience.
Kind regards
Cornelius
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20130809/450e8821/attachment.bin
More information about the krbdev
mailing list