[37826] in Kerberos
Re: OTP and kadmin
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Sun Jan 8 13:33:41 2017
Date: Sun, 8 Jan 2017 12:33:26 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: Felix Weissbeck <contact-kerberos@w7k.de>
Message-ID: <20170108183326.GC8460@kduck.kaduk.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <164906241.8Ksf5XxzVl@entenkatapult>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Sun, Jan 08, 2017 at 05:02:59PM +0100, Felix Weissbeck wrote:
> Hello,
>
> i have recently reconfigured my MIT-Kerberos setup to use PKINIT / OTP and
> RADIUS for my admins. In my setup administrators have two accounts: one
> "username@REALM" for regular user-stuff like mail... and "username/
> admin@REALM" for root-logins with ssh and other administrative purposes.
> This all works just nicely and i am a huge fan.
> Users can get their tickets with a password & yubikey and then log onto the
> servers as root.
>
> But since i had to ''kadmin: purgekeys -all user/admin" in order to force
> them to 2FA i can no longer use "kadmin -p user/admin" from a remote host.
>
> root@ldap:~# kadmin -p fe/admin
> Authenticating as principal fe/admin with password.
> kadmin: Invalid argument while initializing kadmin interface
>
> while my logfiles show:
> Jan 8 15:38:13 kerberos2 krb5kdc[28363]: AS_REQ xxxxxxxxx: NEEDED_PREAUTH:
> fe/admin@W7K.DE for kadmin/admin@W7K.DE, Additional pre-authentication
> required
>
> I have not changed the kadm5.acl on the kdc/kadmin so they should still be
> allowed to do this (*/admin * )
>
> I guess the problem is, that the kadmin-tool does not understand how to
> provide the preauth (just like kinit would without the otp module).
>
> So my question is: Did i miss anything? Is there any possibility to use kadmin
> remotely with otp/2FA? Or is this not possible at the moment and users have to
> use kadmin.local?
One thing to try would be separating getting tickets and authenticating
to kadmin, aka
kinit -c FILE:/tmp/krb5cc_admin -S kadmin/admin -r5m -l5m user/admin
kadmin -c FILE:/tmp/krb5cc_admin -p user/admin
That would make it more clear if it is just a failure in the kadmin client logic.
-Ben
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
