[37524] in Kerberos
Re: Kerberos and OTP
daemon@ATHENA.MIT.EDU (Dmitri Pal)
Thu Jun 16 13:08:25 2016
To: kerberos@mit.edu
From: Dmitri Pal <dpal@redhat.com>
Message-ID: <5762C437.9000700@redhat.com>
Date: Thu, 16 Jun 2016 11:22:31 -0400
MIME-Version: 1.0
In-Reply-To: <5762B2E1.9000408@i-carre.net>
Reply-To: dpal@redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 06/16/2016 10:08 AM, Laurent.Bastet@i-carre.net wrote:
> Hello all,
>
> Can you tell me if it is possible to get a TGT not entering a password,
> but only using an OTP token ?
> I found some tutorials on the internet (ie
> http://web.mit.edu/Kerberos/krb5-1.13/doc/admin/otp.html), but none
> works, the token is never asked : when I do kinit, only the password is
> requested, and then I have to make a "kinit -T armor_ccache" for a token
> been requested.
>
> And even if I don't do the command "kinit -T" I can access to machines...
>
> Regards,
>
> Laurent.
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
OTP feature requires a FAST tunnel that is accomplished by having
another key and identity on the client for the host.
Then you first kinit with host and then use it with -T for user
authentication.
--
Thank you,
Dmitri Pal
Engineering Director, Identity Management and Platform Security
Red Hat, Inc.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos