[39225] in Kerberos
help with OTP
daemon@ATHENA.MIT.EDU (Matt Zagrabelny via Kerberos)
Mon Apr 24 17:48:19 2023
MIME-Version: 1.0
Date: Mon, 24 Apr 2023 16:42:44 -0500
Message-ID: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
To: kerberos <kerberos@mit.edu>
From: Matt Zagrabelny via Kerberos <kerberos@mit.edu>
Reply-To: Matt Zagrabelny <mzagrabe@d.umn.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Greetings Kerberos folks,
I am attempting to understand a bit more of the OTP support in MIT's
Kerberos implementation.
I'm running Debian stable:
ii krb5-kdc 1.18.3-6+deb11u3
I'm looking at the docs at:
https://web.mit.edu/kerberos/krb5-1.13/doc/admin/conf_files/kdc_conf.html#otp
The docs say about the "secret":
---<cut>---
This tag indicates a filename (which may be relative to
LOCALSTATEDIR/krb5kdc) containing the secret used to encrypt the
RADIUS packets. The secret should appear in the first line of the file
by itself; leading and trailing whitespace on the line will be
removed. If the value of server is a Unix domain socket address, this
tag is optional, and an empty secret will be used if it is not
specified. Otherwise, this tag is required.
---<cut>---
which seems to indicate that the secret should be a path to a file.
The example:
---<cut>---
[otp]
MyRemoteTokenType = {
server = radius.mydomain.com:1812
secret = SEmfiajf42$
timeout = 15
retries = 5
strip_realm = true
}
---<cut>---
make it look like you can put the secret directly into the
configuration file. There seems to be a little bit of disconnect
between those two parts of the docs. I just wanted to point it out if
it is helpful.
I've tried to configure my kdc.conf with the required otp stanzas:
[otp]
MyRemoteTokenType = {
server = radius.mydomain.com
secret = super_secret_with_radiusd
timeout = 15
retries = 5
strip_realm = true
}
and I've set the otp string for my principal:
kadmin.local: set_string bob@MYDOMAIN.COM otp
[{"type":"MyRemoteTokenType ","username":"bob"}]
Attribute set for principal "bob@MYDOMAIN.COM".
When I kinit, I don't see any traffic go to the radius server (neither
in the kdc logs, nor in the radiusd logs) and type my password for
kerberos, which is different than my radius password, and I get the
TGT:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: bob@MYDOMAIN.COM
Valid starting Expires Service principal
04/24/2023 16:17:02 04/25/2023 02:17:02 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 04/25/2023 16:16:50
Any ideas what I am missing, or what steps I could take to debug this further?
Thanks for the help!
-m
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
