[37258] in Kerberos
Re: Information request Duo Integration for kinit
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Oct 16 17:49:22 2015
To: Booker Bense <bbense@gmail.com>, "kerberos@mit.edu" <kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <562170CF.5090709@mit.edu>
Date: Fri, 16 Oct 2015 17:49:03 -0400
MIME-Version: 1.0
In-Reply-To: <CAEGpuohh--UYWoyE9uw=bcKgm6r6wQi03icvVJhvLnFvJijyHQ@mail.gmail.com>
Cc: Richard Basch <basch@alum.mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 10/16/2015 12:23 PM, Booker Bense wrote:
> In poking around on the web, I've found that MIT has some duo integration
> for
> the kinit program.
>
> Is there any docmentation available on how this was implemented?
It's a custom kdcpreauth module using the SAM-2 mechanism, with repeated
KDC_ERR_PREAUTH_REQUIRED responses and KDC state. We are hoping to make
it open source at some point, but need to do some cleanup first.
The security properties of SAM-2 aren't great, and it isn't implemented
in any krb5 implementation other than MIT's. We are also working on a
SPAKE2-based preauth mechanism which should eventually enable a much
better integration of second factors, including Duo.
(CC'd Richard Basch as he asked the same question a couple of weeks ago.)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
