[36688] in Kerberos
Re: OTP, RADIUS, timeouts
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Dec 22 16:26:43 2014
Message-ID: <54988C70.6070805@mit.edu>
Date: Mon, 22 Dec 2014 16:26:08 -0500
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Tollef Fog Heen <tfheen@err.no>, kerberos@mit.edu
In-Reply-To: <87wq5k6jsd.fsf@xoog.err.no>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 12/22/2014 05:49 AM, Tollef Fog Heen wrote:
> I'm trying to set up the MIT KDC with support for OTP tokens (yubikeys
> in my case, as a single factor, at least initially). I have the entire
> bit from the RADIUS server and backwards working correctly, but I can't
> get the KDC to see replies from the RADIUS server, it complains about
> «connection timed out». Platform in Debian jessie with the packaged
> 1.12.1, but I see the same problem with a 1.13 tar.gz build.
I'm not sure why you're getting this. A local firewall could perhaps
cause this problem, but I don't have high confidence in that hypothesis.
You may need to instrument or debug the OTP verification code
(otp_verify in src/plugins/preauth/otp/main.c) and the RADIUS server, or
look at a packet trace with tcpdump or wireshark.
> The problem also shows itself when running the t_otp test (where I had
> to change the type of User-Password to octets instead of string, but I
> doubt that's the problem):
Ah, thanks for pointing that out. I had started seeing test failures in
pyrad versions new enough to try to decode string attributes as UTF-8,
but hadn't connected the problem to the attribute type in
radius_attributes. I will file a pull request shortly, but you're right
that this isn't connected to your timeout issue.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
