[39227] in Kerberos
Re: help with OTP
daemon@ATHENA.MIT.EDU (Matt Zagrabelny via Kerberos)
Tue Apr 25 12:43:39 2023
MIME-Version: 1.0
In-Reply-To: <202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
Date: Tue, 25 Apr 2023 11:38:11 -0500
Message-ID: <CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: kerberos <kerberos@mit.edu>
From: Matt Zagrabelny via Kerberos <kerberos@mit.edu>
Reply-To: Matt Zagrabelny <mzagrabe@d.umn.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi Ken!
On Mon, Apr 24, 2023 at 5:25 PM Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
>
> >make it look like you can put the secret directly into the
> >configuration file. There seems to be a little bit of disconnect
> >between those two parts of the docs. I just wanted to point it out if
> >it is helpful.
>
> It looks like (according to the source code) it has to have that as
> a filename.
Thanks for source diving and confirming how to use that config directive.
> >I've tried to configure my kdc.conf with the required otp stanzas:
>
> Well, it's a preauthentication mechanism, so FIRST you have to make sure
> your principal is configured to require preauthentication.
Sure. I just did that:
kadmin.local: modify_principal +requires_preauth bob@MYDOMAIN.COM
Principal "bob@MYDOMAIN.COM" modified.
I've searched the docs and didn't find anything, but... I don't
suppose there is a config item for the KDC to require preauth for
"user" principals?
And there
> is a note at the bottom of that page that suggests you need to be using
> FAST which implies you need to set up a FAST credential cache.
I've done some searching and found:
https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
...but no mention of FAST.
And
> I will be the first person to confess that I've always been a little
> hazy on how exactly that works! (We do use an OTP preauthentication
> mechanism but it predates the newer OTP mechanism you're using). I am
> not aware of any extant documentation that explains how you're supposed
> to use FAST in practice, which I always found a bit odd.
I haven't found any documentation about configuring the KDC to use FAST.
I wasn't
> involved with Kerberos protocol development when FAST was designed but I
> remember a lot of messages about it, but it seems like there's a giant
> hole on how exactly you're supposed to use it when it comes down to the
> nuts and bolts. If there is some documentation about it, hey, I'd love
> to read it!
Ditto.
One of my long-term plans is to migrate our weird stuff to
> something based on OTP which would involve FAST and I sure hope that's
> actually possible in practice (I am aware that without an available
> local keytab you'd have to do anonymous PKINIT and that wouldn't be too
> bad for us since we already have all of the certificate stuff deployed
> for PKINIT with Kerberos, but if you DIDN'T already have everything set
> up for PKINIT it would be about as much fun as a punch in the face from
> John Cena).
>
> My guess is you could use kinit -k to get a TGT based on a keytab on the
> host and then give THAT credential cache you create to the kinit command
> using the -T option. Again, that's just a guess.
Yeah... I'm unsure how this all plumbs together.
Thanks for the reply. Maybe someone else, with FAST experience (?),
will chime in.
Cheers,
-m
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
