[39239] in Kerberos
Re: help with OTP
daemon@ATHENA.MIT.EDU (Russ Allbery)
Wed Apr 26 15:02:49 2023
From: Russ Allbery <eagle@eyrie.org>
To: Ken Hornstein via Kerberos <kerberos@mit.edu>
In-Reply-To: <202304261528.33QFSGrc012160@hedwig.cmf.nrl.navy.mil> (Ken
Hornstein via Kerberos's message of "Wed, 26 Apr 2023 11:28:16 -0400")
Date: Wed, 26 Apr 2023 11:57:31 -0700
Message-ID: <871qk61nfo.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Ken Hornstein via Kerberos <kerberos@mit.edu> writes:
> Well, dang, that's one for the toolbox! I was able to confirm that
> works just fine (but note I already had an existing PKINIT
> infrastructure to leverage). I will note that the existing
> documentation implies you could authenticate to WELLKNOWN/ANONYMOUS
> using your password, but maybe that isn't true? I'm specifically
> referring to the documentation for the '-n' option for kinit, the
> "second form" of anonymous tickets. There is a note that this isn't
> supported, but it mentions MIT Kerberos 1.8 so one could believe that
> note is out of date.
> This is kind of the giant mystery surrounding FAST. If you're not
> familiar with the gory details of the FAST protocol you're kind of left
> stumbling around to figure out what exactly you need to do. I realize
> this is probably because it's hard to write documentation for beginners
> (certainly I am guilty of this also); I'm only making this as a general
> observation.
I worked through a bunch of this for pam-krb5 back in the day and made it
support a set of reasonable things, including anonymous PKINIT to
establish the FAST armor. People who are working in this area may find
its source code useful to look at, although I think there have been
improvements since then and what it does may no longer be best practice.
https://github.com/rra/pam-krb5/blob/main/module/fast.c
--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos