[38105] in Kerberos
Re: OTP/FAST: MIT KDC <--> heimdal client integration
daemon@ATHENA.MIT.EDU (Charles Hedrick)
Fri Nov 3 10:18:10 2017
From: Charles Hedrick <hedrick@rutgers.edu>
To: Greg Hudson <ghudson@mit.edu>
Date: Fri, 3 Nov 2017 14:17:41 +0000
Message-ID: <913E4C74-159D-4DEF-AA3F-D3A9C34B0FD5@rutgers.edu>
In-Reply-To: <d9b03d6d-b791-4ed4-a018-7ba54c9d73a5@mit.edu>
Content-Language: en-US
Content-ID: <4071D6B39171334086CCCACB260CC7CE@namprd14.prod.outlook.com>
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
It’s sort of implemented. On my Mac, if I use --fast-armor-cache=FILE:/tmp/krb5cc_1003 it sends udp packets to the server. The server doesn’t return anything and makes no entry in krb5kdc.log. So the client waits and eventually times out.
If I force tcp by using tcp/hostname in krb5.conf, a non-OTP kinit works, but a fast kinit immediately returns unable to reach any KDC.
A compatibility issue between Heimdal and MIT KDCs?
> On Nov 2, 2017, at 10:50 AM, Greg Hudson <ghudson@mit.edu> wrote:
>
> On 11/02/2017 05:06 AM, Oleksandr Yermolenko wrote:
>> I have a strange (for me?) situation using MIT KDC together with
>> Heimdal client. PKINIT/FAST scenario.
>
> I don't believe Heimdal implements FAST OTP.
>
>> kinit --cache=FILE:/tmp/krb5cc_1000 aae@IDM.CRP
>> aae@IDM.CRP's Password: passwordOTP
>> kinit: Password incorrect
>>
>> KDC log:
>> Nov 02 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth
>> (encrypted_timestamp) verify failure: Preauthentication failed Nov 02
>> 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth
>
> It looks like the Heimdal client is trying to do encrypted timestamp
> (not encrypted challenge, so I'm not sure the client is even using FAST
> with these options) against whatever long-term keys you have on the
> client principal entry. You might want to remove those (with kadmin
> purgekeys -all) so that the KDC doesn't offer encrypted
> timestamp/encrypted challenge.
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.mit.edu%2Fmailman%2Flistinfo%2Fkerberos&data=02%7C01%7Chedrick%40rutgers.edu%7C24004d8fd5184a7aa23608d5220166ad%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636452311769952170&sdata=38MDQ9a3OF8oRhhQa9GI72%2Bshom2Zxr5MGOpJelRsl0%3D&reserved=0
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
