[37662] in Kerberos
Re: [EXTERNAL] Re: FAST OTP
daemon@ATHENA.MIT.EDU (Felix Weissbeck)
Sun Aug 28 11:53:15 2016
From: Felix Weissbeck <contact-kerberos@w7k.de>
To: kerberos@mit.edu, "Machin, Glenn D" <GMachin@sandia.gov>
Date: Sun, 28 Aug 2016 17:52:41 +0200
Message-ID: <1946997.AQdI1UGBzo@mutant>
In-Reply-To: <6F19F3C7-4C66-4211-B86F-952C74B07680@sandia.gov>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello Glenn
On Sonntag, 28. August 2016 01:10:12 CEST Machin, Glenn D wrote:
>
> Next step was to be able to use it for login/sudo. I modified the
> pam_krb5 step to below in system-auth. What I see on the KDC are only
> encrypted timestamp preauth.
Even if you have configured OTP, auth via encrypted timestamp should still
work. I don't know if you can configure pam_krb5 not to try timestamp, but you
could try purging the password from the krb-storage with
kadmin.local: purgekeys -all myprinc@REALM
and see if the module falls back to otp.
> Next step was to be able to use it for login/sudo.
you might also want to take a look at the Secure Services Storage Daemon
(sssd). It supports preauth with pkinit and it should support otp w. anonymous
tickets.
I'm using it for sudo with sudoers coming from my ldap directory, but you
could also authenticate sudo against the sssd-pam-module.
> Any help would be appreciated.
> Glenn
Best regards
Felix
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
