Configuring OTPOverRadius

Nathaniel McCallum npmccallum at redhat.com
Wed Aug 14 09:46:11 EDT 2013 


----- Original Message -----
> 
> Am 08.08.2013 17:36, schrieb Nathaniel McCallum:
> > ----- Original Message -----
> >> Am 07.08.2013 12:08, schrieb Dmitri Pal:
> >>> On 08/07/2013 05:05 AM, Cornelius Kölbel wrote:
> >>>> Am 05.08.2013 18:04, schrieb Greg Hudson:
> >>>>> On 08/05/2013 11:26 AM, Cornelius Kölbel wrote:
> >>>>>> But when doing a kinit on the client machine, the KDC still sends
> >>>>>> a ERR_PREAUTH_REQUIRED and the user can authenticate with the
> >>>>>> static password. No RADIUS traffic.
> >>>>>>
> >>>>>> What is the status of the OTP/Radius plugin? Did I miss something?
> >>>>> A couple of things:
> >>>>>
> >>>>> * First, allowing OTP preauth does not prevent Kerberos password
> >>>>> preauth (encrypted timestamp or encrypted challenge).  If you want to
> >>>>> prevent password preauth, you should remove the principal's keys with
> >>>>> "purgekeys -all princname" (recently added on master).
> >>>>>
> >>>>> * Second, OTP preauth only works with FAST.  We unfortunately don't
> >>>>> have good documentation on deploying FAST yet, but the basic
> >>>>> constraint is that you have to have tickets to get tickets.  To get
> >>>>> the initial "armor" tickets, you have two choices:
> >>>>>
> >>>>>   1. Use a keytab for a principal, such as a host principal, which has
> >>>>> a random key and therefore does not need to require preauth.
> >>>>>
> >>>>>   2. Use anonymous PKINIT.  We do have instructions on setting up
> >>>>> anonymous PKINIT at:
> >>>>>
> >>>>>     http://web.mit.edu/kerberos/krb5-latest/doc/admin/pkinit.html
> >>>>>
> >>>>> For testing purposes, once you have gotten the armor ticket one way or
> >>>>> another, you can use "kinit -T armorccache princname" to get tickets
> >>>>> using FAST.
> >>>>>
> >>>>> Russ Allbery's pam_krb5 supports "anon_fast" and "fast_ccache"
> >>>>> options.  (A "fast_keytab" option would also be interesting, but it
> >>>>> doesn't appear to exist yet, and arguably some of that complexity
> >>>>> should
> >>>>> be moved into libkrb5.)
> >>>> Hi Greg,
> >>>> thanks for the answer.
> >>>> I setup anonymous PKINIT and do a kinit -n, which works fine:
> >>>>
> >>>>   root at krb-client:~# kinit -n
> >>>>   root at krb-client:~# klist
> >>>>   Ticket cache: FILE:/tmp/krb5cc_0
> >>>>   Default principal: WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS
> >>>>
> >>>>   Valid starting       Expires              Service principal
> >>>>   06.08.2013 00:54:05  06.08.2013 10:54:05
> >>>> krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE
> >>>>       renew until 07.08.2013 00:54:05
> >>>>
> >>>> Now I tried different things (purgekeys -all principal and not), but the
> >>>> KDC will never do a RADIUS request.
> >>>>
> >>>> I do something like this:
> >>>>     kinit -T /tmp/krb5cc_0 cornelius
> >>>>
> >>>> (Do I need to add options with -X?)
> >>>>
> >>>> I have my otp section in /usr/local/var/krb5kdc/kdc.conf
> >>>>
> >>>>   [otp]
> >>>>   linotp = {
> >>>>           server = 172.16.200.146:1812
> >>>>           secret = geheim
> >>>>           strip_realm = true
> >>>>   }
> >>>>
> >>>> and the principal cornelius has the otp string specified:
> >>>>
> >>>>   kadmin.local:  get_strings cornelius
> >>>>   otp: [{ type : linotp }]
> >>>>
> >>>>
> >>>> The KDC log tells me, that the anonymous ticket was issued and the
> >>>> ticked based on the users password. No OTP plugin involved.
> >>>>
> >>>> |Aug 06 01:11:06 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17
> >>>> |16
> >>>> |23 25 26}) 172.16.200.148: NEEDED_PREAUTH:
> >>>> |WELLKNOWN/ANONYMOUS at TEST.LSEXPERTS.DE for
> >>>> |krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE, Additional
> >>>> |pre-authentication required
> >>>> Aug 06 01:11:06 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16
> >>>> 23 25 26}) 172.16.200.148: ISSUE: authtime 1375744266, etypes {rep=18
> >>>> tkt=18 ses=18}, WELLKNOWN/ANONYMOUS at TEST.LSEXPERTS.DE for
> >>>> krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE
> >>>> Aug 06 01:11:06 krb-kdc krb5kdc[29207](info): closing down fd 17
> >>>> Aug 06 01:11:08 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16
> >>>> 23 25 26}) 172.16.200.148: NEEDED_PREAUTH: cornelius at TEST.LSEXPERTS.DE
> >>>> for krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE, Additional
> >>>> pre-authentication required
> >>>> Aug 06 01:11:50 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16
> >>>> 23 25 26}) 172.16.200.148: ISSUE: authtime 1375744310, etypes {rep=18
> >>>> tkt=18 ses=18}, cornelius at TEST.LSEXPERTS.DE for
> >>>> krbtgt/TEST.LSEXPERTS.DE at TEST.LSEXPERTS.DE|
> >>>>
> >>>>
> >>>> So I rebuilt with
> >>>>
> >>>>    ./configure CFLAGS=-g
> >>>>
> >>>> ...but it brought no additional output and insight.
> >>>> How do you recommend to increase debug and get the OTP Preauth tested?
> >>>>
> >>>> Kind regards
> >>>> Cornelius
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> krbdev mailing list             krbdev at mit.edu
> >>>> https://mailman.mit.edu/mailman/listinfo/krbdev
> >>> Please take a look at this:
> >>> http://fedoraproject.org/wiki/Features/FreeIPA_Two_Factor_Authentication
> >>> IPA uses MIT Kerberos as is.
> >>> That should help you to setup an integrated solution that works.
> >>> Then you would be able to see what is missing in your setup with the
> >>> pure Kerberos implementation.
> >>>
> >> Hi Dmitri,
> >> is there any further documentation about how to configure OTP/Radius for
> >> a user in FeeIPA?
> >> I can not find anything about this following the links on
> >> http://fedoraproject.org/wiki/Features/FreeIPA_Two_Factor_Authentication.
> >> I installed FreeIPA on Fedora 19 and can not find anything, either.
> >> Thanks a lot and kind regards
> >> Cornelius
> > The UI is under active development. You can test with some make-shift
> > scripts as documented here:
> > https://fedoraproject.org/wiki/Test_Day:2013-06-06_FreeIPA_Two_Factor_Authentication
> >
> > Nathaniel
> Hi Nathanial,
> 
> thanks a lot.
> Good news at the start: I managed to successfully do the otpoverradius
> with FreeIPA on Fedora 19.
> 
> But I realized one little issue (which is not important for me):
> 
> I installed Fedora19 from scratch.
> Installed IPA (without DNS) according to
> https://fedoraproject.org/wiki/QA:Testcase_freeipav3_installation
> Now followed: https://fedoraproject.org/wiki/QA:Testcase_freeipav3_radius
> 
> First I get an error in the krb5kdc.log:
> preauth(otp) verify failed: Access denied
> 
> I finally realized that this is an SELinux problem:
> /usr/sbin/krb5kdc tries to write to a sock_file DEFAULT.socket.

Thanks! The issue is known: https://bugzilla.redhat.com/show_bug.cgi?id=970163

Nathaniel

More information about the krbdev mailing list