[39229] in Kerberos
Re: help with OTP
daemon@ATHENA.MIT.EDU (Matt Zagrabelny via Kerberos)
Tue Apr 25 16:21:19 2023
MIME-Version: 1.0
In-Reply-To: <CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
Date: Tue, 25 Apr 2023 15:16:22 -0500
Message-ID: <CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
To: BuzzSaw Code <buzzsaw.code@gmail.com>
Cc: kerberos <kerberos@mit.edu>
From: Matt Zagrabelny via Kerberos <kerberos@mit.edu>
Reply-To: Matt Zagrabelny <mzagrabe@d.umn.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi BuzzSaw,
Thanks for the reply!
On Tue, Apr 25, 2023 at 1:33 PM BuzzSaw Code <buzzsaw.code@gmail.com> wrote:
>
> What we did:
> - in your kdc.conf:
>
> [otp]
> DEFAULT = {
> server = localhost6:1812
> secret = secrettfile
> strip_realm = true
> }
>
> This assumes your kdc runs a local RADIUS server that will answer up
> OTP requests. Change as needed.
Got it.
>
>
> - create the file 'secretfile' with your shared RADIUS secret in the
> same directory as kdc.conf
>
> - kadmin -q 'addprinc -randkey WELLKNOWN/ANONYMOUS'
-randkey. Do I need to know what the passphrase is?
>
> - kadmin -q 'modprinc +requires_preauth user
> - kadmin -q 'setstr user otp []'
>
> Testing:
>
> Get an initial TGT with anonymous auth
> - kinit -n -c /tmp/somecache
I tried this, but it prompted me:
$ kinit -n -c /tmp/somecache
Password for WELLKNOWN/ANONYMOUS@MYDOMAIN.COM:
kinit: Password incorrect while getting initial credentials
...so I went and changed the password for the WELLKNOWN/ANONYMOUS
principal. Then...
$ kinit -n -c /tmp/somecache
Password for WELLKNOWN/ANONYMOUS@MYDOMAIN.COM:
kinit: Reply has wrong form of session key for anonymous request while
getting initial credentials
I've never requested anonymous credentials before.
Does anyone know how to correctly request them?
Thanks,
-m
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
