[38441] in Kerberos
Re: Kerberos n00b question.
daemon@ATHENA.MIT.EDU (Robbie Harwood)
Thu Jan 10 14:23:40 2019
From: Robbie Harwood <rharwood@redhat.com>
To: Grant Taylor <gtaylor@tnetconsulting.net>, <kerberos@mit.edu>
In-Reply-To: <ab038516-6559-3773-4435-a2ffdba2a584@spamtrap.tnetconsulting.net>
Date: Thu, 10 Jan 2019 14:23:32 -0500
Message-ID: <jlgd0p4co5n.fsf@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5364471497927622257=="
Errors-To: kerberos-bounces@mit.edu
--===============5364471497927622257==
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512;
protocol="application/pgp-signature"
--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Grant Taylor <gtaylor@tnetconsulting.net> writes:
> On 1/8/19 6:02 PM, Robbie Harwood wrote:
>
>> Also! 2FA will mitigate this concern somewhat as well.
>
> I was wondering about 2nd factor authentication. I have a YubiKey=20
> that's waiting for my attention.
>
> Would I be correct in assuming that (from a Kerberos point of view)
> the 1st and 2nd factors are used during the kinit process? Meaning
> that all of the SSO functions still work unimpeded?
Correct.
As an additional note, second factors (and PKINIT etc.) can set what we
call auth indicators:
http://web.mit.edu/kerberos/krb5-latest/doc/admin/auth_indicator.html
Applications can use these to mandate certain authentication properties
(e.g., used 2fa) on requests.
Thanks,
=2D-Robbie
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAlw3m7QACgkQJTL5F2qV
pEIXAg/+LR+LtSlaiMcKPF5AYOmBIoKD+naJqyHx/S4gc34JW2fUZCCnQL18XhiS
B9fyILkY8ZzU/yMM/YZfFOSlrb7jxwdlZCLTTqJhyZn7rNj/As/imAx8cttiQOUC
cIQcrZL4slR7vfTEIDOr4T8B6aZirbJloHAz+aLzB9ousk0qAiobHadfXeq8a3TP
0OGe7+2BfECqiP0LUCrtZy8BLxCdkiwOvHcE+LKl0RZZzhIeAHGiGV9rbXw1MKlT
fugy9W/QEM3ONSPARyJMqq99WqsJONtkJaiTu0UNHbyDYJlWmazMv7W/UR4w7QQM
HVzcL3+JXEFYsxnIKj2p8wUV/ASYzP2hiBjsurQ5yKKm6XL7/BJ9Ibci4HpGREiZ
20qZLIhYKuJsfO1GWHeDzBkfy0gfMdj99XfJymlt+1rcvnQmw8nZUqOMWkcW/rxH
f+tHrffnz544MfM+A096YJaAtt1WvV6yRNucIxwdlhecjNf3AzYvuICmQGK4eSjk
ANxPRd1WXR9dOiRfpkAUUNhP/50SGTaBgW8awO1I6I15iZPyvkWlgzoDJbJHnWrq
hclUArmVfd+s/HBAhJzdnj7yBuOv3Mk3UYeh+xP8FzFOcuc5q+NPm4Fc6+I+QURS
M7cDdKJ/oe1gKTAETFF1YtO11jhcMhPrUgDHF2q+fCMh6Xw4uq0=
=gi2c
-----END PGP SIGNATURE-----
--=-=-=--
--===============5364471497927622257==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============5364471497927622257==--
