[38100] in Kerberos
Re: OTP/FAST: MIT KDC <--> heimdal client integration
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Nov 2 10:51:10 2017
To: Oleksandr Yermolenko <aae@sumix.com>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <d9b03d6d-b791-4ed4-a018-7ba54c9d73a5@mit.edu>
Date: Thu, 2 Nov 2017 10:50:45 -0400
MIME-Version: 1.0
In-Reply-To: <20171102110206.51fc5a49@aae-stu.taras.crp>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 11/02/2017 05:06 AM, Oleksandr Yermolenko wrote:
> I have a strange (for me?) situation using MIT KDC together with
> Heimdal client. PKINIT/FAST scenario.
I don't believe Heimdal implements FAST OTP.
> kinit --cache=FILE:/tmp/krb5cc_1000 aae@IDM.CRP
> aae@IDM.CRP's Password: passwordOTP
> kinit: Password incorrect
>
> KDC log:
> Nov 02 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth
> (encrypted_timestamp) verify failure: Preauthentication failed Nov 02
> 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth
It looks like the Heimdal client is trying to do encrypted timestamp
(not encrypted challenge, so I'm not sure the client is even using FAST
with these options) against whatever long-term keys you have on the
client principal entry. You might want to remove those (with kadmin
purgekeys -all) so that the KDC doesn't offer encrypted
timestamp/encrypted challenge.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos