OTPOverRadius IPA vs Krb

Henry B. Hotz hotz at jpl.nasa.gov
Wed Jun 19 17:22:50 EDT 2013

Absent trivial success, this got back-burner'ed for me.  What you say probably explains why no OTP-related behavior was observed on the kdc.  I'll keep this in mind when I get back to it.


For what I'm interested in, an OTP-only kdc seems reasonable, but I expect there are admin accesses using keytab files that are probably needed in practice.

Hmmm.  I can't do this with Heimdal, but can I have a DB entry with *no* ordinary keys in current MIT?  Have to look.  (Just thinking out loud.)

On Jun 19, 2013, at 11:43 AM, Nathaniel McCallum <npmccallum at redhat.com> wrote:

> On Wed, 2013-06-12 at 00:28 -0700, Henry B. Hotz wrote:
>> OK, so this isn't a question for Dimitri.  How does one set the required "user string" with kadmin?
>> Would it be
>> kadmin.local:  set_string smith at TEST.REALM otp "[{}]"
>> kadmin.local:  
> Yes. However, you should be aware that you will also need to disable
> other preauth mechs, or you are not likely to get the behavior you
> desire. FreeIPA does this by returning 0 keys for the user with otp
> enabled. You can do this manually for all users by disabling the plugins
> in the KDC. There is currently no way to delete the keys for the user
> without a KDB plugin.
> Nathaniel

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the krbdev mailing list