[36691] in Kerberos
Re: OTP, RADIUS, timeouts
daemon@ATHENA.MIT.EDU (Tollef Fog Heen)
Tue Dec 23 10:35:32 2014
From: Tollef Fog Heen <tfheen@err.no>
To: kerberos@mit.edu
Date: Tue, 23 Dec 2014 09:48:01 +0100
In-Reply-To: <54988C70.6070805@mit.edu> (Greg Hudson's message of "Mon, 22 Dec
2014 16:26:08 -0500")
Message-ID: <877fxi7nwe.fsf@xoog.err.no>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
]] Greg Hudson
> On 12/22/2014 05:49 AM, Tollef Fog Heen wrote:
> > I'm trying to set up the MIT KDC with support for OTP tokens (yubikeys
> > in my case, as a single factor, at least initially). I have the entire
> > bit from the RADIUS server and backwards working correctly, but I can't
> > get the KDC to see replies from the RADIUS server, it complains about
> > «connection timed out». Platform in Debian jessie with the packaged
> > 1.12.1, but I see the same problem with a 1.13 tar.gz build.
>
> I'm not sure why you're getting this. A local firewall could perhaps
> cause this problem, but I don't have high confidence in that hypothesis.
> You may need to instrument or debug the OTP verification code
> (otp_verify in src/plugins/preauth/otp/main.c) and the RADIUS server, or
> look at a packet trace with tcpdump or wireshark.
The problem goes away if I use the bundled libverto, so I suspect this
is either a bug in Debian's libverto (version 0.2.4) or the krad ↔
libverto interaction. I've done a quick check with t_otp.py and the
0.2.6 upstream version of libverto and it seems to work better.
After a bit more digging, it turns out that the fix is:
commit e616bd59103bf86087cf652831cc3039a43971b7
Author: Nathaniel McCallum <npmccallum@redhat.com>
Date: Fri Feb 10 01:13:30 2012 -0500
fix libev's set_flags() implementation
diff --git a/src/verto-libev.c b/src/verto-libev.c
index 2eb08fc..9c7c324 100644
--- a/src/verto-libev.c
+++ b/src/verto-libev.c
@@ -106,7 +106,9 @@ libev_ctx_set_flags(verto_mod_ctx *ctx, const verto_ev *ev,
if (verto_get_flags(ev) & VERTO_EV_FLAG_IO_WRITE)
events |= EV_WRITE;
+ ev_io_stop(ctx, (ev_io*) evpriv);
ev_io_set(((ev_io*) evpriv), verto_get_fd(ev), events);
+ ev_io_start(ctx, (ev_io*) evpriv);
}
}
After applying this to Debian's 0.2.4 libverto, I can now get a ticket
using just a Yubikey, so that's pretty cool.
I'll file a bug in Debian, hopefully Sam can get this snuck in even
though we're in a freeze.
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
