[39237] in Kerberos
Re: help with OTP
daemon@ATHENA.MIT.EDU (Matt Zagrabelny via Kerberos)
Wed Apr 26 12:46:25 2023
MIME-Version: 1.0
In-Reply-To: <202304261629.33QGTlJ8015728@hedwig.cmf.nrl.navy.mil>
Date: Wed, 26 Apr 2023 11:41:39 -0500
Message-ID: <CAOLfK3XRaYoT+NgbjDCbEaKow36QpTjrFrjGO-jGW96=7z9u_A@mail.gmail.com>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: kerberos <kerberos@mit.edu>
From: Matt Zagrabelny via Kerberos <kerberos@mit.edu>
Reply-To: Matt Zagrabelny <mzagrabe@d.umn.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Wed, Apr 26, 2023 at 11:29 AM Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
>
> >Since I am currently only interested in anonymous auth, I thought I
> >could skip that directive. But alas:
>
> Right, so, here's where my limited knowledge of FAST comes into play.
>
> As I understand it, you need to be able to use a trusted key to
> authenticate with the KDC to to create the FAST channel. Your options
> are using an already-existing key (such as a host key) or anonymous
> PKINIT. But the "anonymous" part of anonymous PKINIT only refers to the
> CLIENT being anonymous; you still need the client to be able to verify
> the KDC's certificate (otherwise anyone could pretend to be your KDC and
> you could end up sending your OTP output to them, which would be bad).
Agreed.
The docs that I referenced still made it seem that the anchor config
was somewhat optional for anonymous auth.
..but maybe I wasn't reading those lines with the proper mindset or context.
> That's the piece you were missing. Once you have the FAST channel set
> up then you can use that to securely send the OTP response.
>
> I see in a later message you got it working; great! Just FYI in case
> anyone else asks, the key line in that trace output was this:
>
> [1185088] 1682519355.427424: Processing preauth types: PA-PK-AS-REQ
> (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147),
> PA-ENCRYPTED-CHALLENGE (138), PA_AS_FRESHNESS (150), PA-FX-COOKIE
> (133), PA-FX-ERROR (137)
>
> You're missing PA-OTP-REQUEST, which was because (as you discovered)
> that plugin wasn't installed. But that requires a lot of Kerberos
> knowledge to get to that point :-/
Yup!
> It does occur to me a useful addition to kinit might be a flag that
> means "authenticate using anonymous PKINIT and then use those
> credentials as a FAST armour credential cache" so you wouldn't have
> to muck around with juggling credential caches.
That would be great and would eliminate an impending shell alias for me:
alias kinit-otp='kinit -n -c /tmp/somecache; kinit -T /tmp/somecache'
Thanks for all the help, Ken (and BuzzSaw and Greg). It is very appreciated!
-m
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
