[37825] in Kerberos
OTP and kadmin
daemon@ATHENA.MIT.EDU (Felix Weissbeck)
Sun Jan 8 11:03:19 2017
From: Felix Weissbeck <contact-kerberos@w7k.de>
To: kerberos@mit.edu
Date: Sun, 08 Jan 2017 17:02:59 +0100
Message-ID: <164906241.8Ksf5XxzVl@entenkatapult>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello,
i have recently reconfigured my MIT-Kerberos setup to use PKINIT / OTP and
RADIUS for my admins. In my setup administrators have two accounts: one
"username@REALM" for regular user-stuff like mail... and "username/
admin@REALM" for root-logins with ssh and other administrative purposes.
This all works just nicely and i am a huge fan.
Users can get their tickets with a password & yubikey and then log onto the
servers as root.
But since i had to ''kadmin: purgekeys -all user/admin" in order to force
them to 2FA i can no longer use "kadmin -p user/admin" from a remote host.
root@ldap:~# kadmin -p fe/admin
Authenticating as principal fe/admin with password.
kadmin: Invalid argument while initializing kadmin interface
while my logfiles show:
Jan 8 15:38:13 kerberos2 krb5kdc[28363]: AS_REQ xxxxxxxxx: NEEDED_PREAUTH:
fe/admin@W7K.DE for kadmin/admin@W7K.DE, Additional pre-authentication
required
I have not changed the kadm5.acl on the kdc/kadmin so they should still be
allowed to do this (*/admin * )
I guess the problem is, that the kadmin-tool does not understand how to
provide the preauth (just like kinit would without the otp module).
So my question is: Did i miss anything? Is there any possibility to use kadmin
remotely with otp/2FA? Or is this not possible at the moment and users have to
use kadmin.local?
Best Regards
Felix Weissbeck
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
