[38304] in Kerberos
Re: Kerberos OTP with RADIUS for kadmin
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Aug 21 11:24:22 2018
To: John Devitofranceschi <jdvf@optonline.net>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <953a763e-e874-b10c-a70b-d9af3a856ef5@mit.edu>
Date: Tue, 21 Aug 2018 11:23:57 -0400
MIME-Version: 1.0
In-Reply-To: <2F560881-6C8F-4C24-BA7F-1D3E921C3E41@optonline.net>
Content-Language: en-US
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 08/16/2018 06:41 PM, John Devitofranceschi wrote:
> I’m thinking about securing Kerberos administrative principals (*/admin and the like) with OTP using RADIUS.
>
> Will kadmin take kindly to that?
I believe it should be fine. We don't test that particular combination
as far as I know, but we do test kadmin with anonymous PKINIT. I
checked the code and it uses the appropriate interface to be able to
prompt for an OTP code as well as the password.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
