[38012] in Kerberos
Re: Kerberos OTP with FreeRadius
daemon@ATHENA.MIT.EDU (Felix Weissbeck)
Fri Jul 7 05:05:13 2017
From: Felix Weissbeck <contact-kerberos@w7k.de>
To: kerberos@mit.edu
Date: Fri, 07 Jul 2017 11:04:47 +0200
Message-ID: <9932119.xzEs4vG1OH@mutant>
In-Reply-To: <92178aa5a42a4399b4bacc0c6824fba0@sap.com>
Cc: "Brennecke, Simon" <simon.brennecke@sap.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
Am Freitag, 7. Juli 2017, 07:54:19 CEST schrieb Brennecke, Simon:
> Here is were I am a bit unsure now. I kinda expect "kinit -p simon" now to
> either ask me for my password AND my OTP token, or at least fail with some
> error message. But instead it succeeds if I just enter my password.
As far as i understand the pre-auth, it succeeds if you enter a correct
password OR if the radius-authentication is successful.
One solution is to remove the password from the kerberos database, so it only
works if the radius auth is successful.
kadmin -q 'purgekeys -all YOUR_PRINCNAME'
(see: https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html)
The "problem" hereby is, that you can now obtain a kerberos ticket with your
second factor alone; so you could configure PAM to successfully authenticate
with password+token.
I have a setup that asks for a password plus (yubikey or google-auth).
The PAM-configuration looks like this:
auth [success=2 default=ignore] pam_google_authenticator.so
try_first_pass forward_pass
auth [success=1 default=ignore] pam_yubico.so id=2 authfile=/etc/
yubikeyid url=http://127.0.0.1/wsapi/2.0/verify?id=%d&otp=%s try_first_pass
auth requisite pam_deny.so
auth [success=1 default=ignore] pam_unix.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
> Also can sombody explain how this integrates with PAM-kerberos on a client
> machine? Will PAM then prompt the user for the OTP token and password?
The authentication works with passwordotp suplied as one string.
Hope this helps. If anyone has a better approach please let me know.
Best regards
Felix
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos