[38011] in Kerberos
Kerberos OTP with FreeRadius
daemon@ATHENA.MIT.EDU (Brennecke, Simon)
Fri Jul 7 01:54:47 2017
From: "Brennecke, Simon" <simon.brennecke@sap.com>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Fri, 7 Jul 2017 05:54:19 +0000
Message-ID: <92178aa5a42a4399b4bacc0c6824fba0@sap.com>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi all,
I'm trying to configure a MIT Kerberos server (I belive version 1.15) to do OTP preauth against a FreeRadius server on a Debian 9 host.
What I did so far was:
1) installed and configured FreeRadius to only do OTP with google-authenticator via PAM => works
2) installed and configured MIT kerberos with a couple of principials => "kinit -p simon" works
3) I followed https://web.mit.edu/kerberos/krb5-1.13/doc/admin/otp.html
4) I realized that I probably also need PKINIT for FAST to work, so I also followed https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html, but only the server portion. I skipped the client part. I was using my own CA.
5) I did 'set_string simon otp "[]"' and "modprinc +need_pre_auth simon"
6) restarted KDC
Here is were I am a bit unsure now. I kinda expect "kinit -p simon" now to either ask me for my password AND my OTP token, or at least fail with some error message. But instead it succeeds if I just enter my password.
>From the logs I can see, that the OTP module gets loaded and when I do kinit that some sort of PREAUTH is required, but apparently it is handled successfully and completly without OTP token.
I then started to fiddle with the "authentication indicators", but I'm afraid I do not properly understand their part in all this.
Can somebody please advise me what is missing?
Also can sombody explain how this integrates with PAM-kerberos on a client machine? Will PAM then prompt the user for the OTP token and password?
Many thanks & Regards
Simon
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos