[39439] in Kerberos
one time password integration
daemon@ATHENA.MIT.EDU (Charles Hedrick via Kerberos)
Wed Jul 31 14:23:49 2024
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Wed, 31 Jul 2024 18:22:34 +0000
Message-ID: <PH0PR14MB5493673E648D14F5CEE0B7DFAAB12@PH0PR14MB5493.namprd14.prod.outlook.com>
Content-Language: en-US
MIME-Version: 1.0
From: Charles Hedrick via Kerberos <kerberos@mit.edu>
Reply-To: Charles Hedrick <hedrick@rutgers.edu>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
We're looking at one time password integration (DUO). A while ago changes were made to allow a longer timeout, since users may take a while to respond to DUO requests. Since this isn't in a release yet, and it takes years for new versions to show up on all of our systems, we can't depend upon the changes now. But I'd like it to work in the long run.
There's another issue beyond the timeout, and it's not clear to me that the change takes it into account. Traditionally the client will talk to all servers at the same time if it can't get to the initial kdc fairly quickly. It's not obvious to me that this behavior changes with the new code. The comments suggest that with TCP if there isn't an answer within 10 sec, it then tries all servers.
This could produce the effect of having several servers simultaneously asking for DUO authentication, if the user doesn't respond within 10 sec. This is not a desirable result. I'm not entirely sure how this should work, but my first inclination is to say that if a TCP connection opens to the server, no other connection should be opened until the timeout. At the timeout another server should be tried.
It seems unlikely that a KDC would open a connection but not do anything. Not impossible, but unlikely.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
