On ke, 20 kesä 2018, Oleksandr Yermolenko via FreeIPA-users wrote:
Hi,
Has someone managed to setup OTP 2FA between FreeIPA 4.5.X and Mac OS
(High Sierra)?
When authenticating with a non 2FA user, works fine.
THE FIRST WAY: native heimdal client:
aae$ kinit --version
kinit (Heimdal 1.5.1apple1)
Copyright 1995-2011 Kungliga Tekniska Högskolan
Send bug-reports to heimdal-b...@h5l.org
aae$
aae$ kdestroy
aae$ kinit --anonymous
aae$ klist Credentials cache:
KCM:74E6A71B-BCB9-43E1-8832-AFC7B17831E7
Principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Issued Expires Principal
Jun 20 12:41:07 2018 Jun 21 12:41:06 2018 krbtgt/idm....@idm.crp
aae$ kinit --fast-armor-cache=KCM:74E6A71B-BCB9-43E1-8832-AFC7B17831E7
a...@idm.crp
kinit: krb5_init_creds_set_fast_ccache: Matching credential
(krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS) not found
aae$
Found [1] that FAST is supported but is it enough for OTP I have no
idea. Tried tcp protocol [2] without success. I can't find information
how to activate anon FAST on Mac OS if this protocol is supported.
What about OTP? I'm not sure that old heimdal kerberos client is
compatible with pkinit/fast. I know so many questions to apple
developers and support
---------------------------------------------
THE SECOND WAY: client MIT version krb5-1.16.1
port install kerberos5
...
---> Installing kerberos5 @1.16.1_0
...
slightly changed /etc/krb5.conf
aae$ kdestroy
kdestroy: No credentials cache found while destroying cache
aae$ kinit -n
aae$ klist -A
Ticket cache: KCM:501
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Valid starting Expires Service principal
06/20/2018 12:46:22 06/21/2018 12:46:22 krbtgt/idm....@idm.crp
aae$ kinit -T KCM:501 a...@idm.crp
Enter OTP Token Value: aae$
aae$ klist -A
Ticket cache: KCM:501:2
Default principal: a...@idm.crp
Valid starting Expires Service principal
06/20/2018 12:47:13 06/21/2018 12:46:59 krbtgt/idm....@idm.crp
Ticket cache: KCM:501
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Valid starting Expires Service principal
06/20/2018 12:46:22 06/21/2018 12:46:22 krbtgt/idm....@idm.crp
aae$
much much better, but it's not enough because I can't use TGT. As you
can see I tried to use KCM cache believing that I use native heimdal
KCM server on my Mac, but without success: I do not see any valid
tickets here /System/Library/CoreServices/<Ticket Viewer> and of
course don't have kerberos related access to corporate resources.
----------------------------------------------
Any help is appreciated. Possible directions/ideas how to implement
2FA on Mac OS without hacks?
FreeIPA requires a Kerberos implementation with RFC6560 support.
Heimdal, to date, doesn't have it implemented.
As for KCM, even though keys are stored in the KCM provided by Heimdal,
it doesn't mean that Heimdal client will be able to read and use a
ticket obtained by MIT client, at least internally these have completely
different structure.
--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/S5FHPS7LAD2LZFKGBTBKL4EKMKVCSY4N/
