You can get an MIT Kerberos implementation from Macports. I use that myself. However I don’t use it for login, so I haven’t tried the pam support on the Mac. The Macports implementation supports both 2FA and the https proxy. We restrict access to our kerberos servers, so people at home have to use the proxy.
> On Jun 20, 2018, at 6:00 AM, Oleksandr Yermolenko via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > Hi, > > Has someone managed to setup OTP 2FA between FreeIPA 4.5.X and Mac OS (High > Sierra)? > When authenticating with a non 2FA user, works fine. > > THE FIRST WAY: native heimdal client: > > aae$ kinit --version > kinit (Heimdal 1.5.1apple1) > Copyright 1995-2011 Kungliga Tekniska Högskolan > Send bug-reports to heimdal-b...@h5l.org > aae$ > > aae$ kdestroy > aae$ kinit --anonymous > aae$ klist Credentials cache: > KCM:74E6A71B-BCB9-43E1-8832-AFC7B17831E7 > Principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS > > Issued Expires Principal > Jun 20 12:41:07 2018 Jun 21 12:41:06 2018 krbtgt/idm....@idm.crp > > aae$ kinit --fast-armor-cache=KCM:74E6A71B-BCB9-43E1-8832-AFC7B17831E7 > a...@idm.crp > kinit: krb5_init_creds_set_fast_ccache: Matching credential > (krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS) not found > aae$ > > Found [1] that FAST is supported but is it enough for OTP I have no idea. > Tried tcp protocol [2] without success. I can't find information how to > activate anon FAST on Mac OS if this protocol is supported. What about OTP? > I'm not sure that old heimdal kerberos client is compatible with pkinit/fast. > I know so many questions to apple developers and support > > --------------------------------------------- > THE SECOND WAY: client MIT version krb5-1.16.1 > port install kerberos5 > ... > ---> Installing kerberos5 @1.16.1_0 > ... > > slightly changed /etc/krb5.conf > > aae$ kdestroy > kdestroy: No credentials cache found while destroying cache > > aae$ kinit -n > aae$ klist -A > Ticket cache: KCM:501 > Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS > > Valid starting Expires Service principal > 06/20/2018 12:46:22 06/21/2018 12:46:22 krbtgt/idm....@idm.crp > > aae$ kinit -T KCM:501 a...@idm.crp > Enter OTP Token Value: aae$ > > aae$ klist -A > Ticket cache: KCM:501:2 > Default principal: a...@idm.crp > > Valid starting Expires Service principal > 06/20/2018 12:47:13 06/21/2018 12:46:59 krbtgt/idm....@idm.crp > > Ticket cache: KCM:501 > Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS > > Valid starting Expires Service principal > 06/20/2018 12:46:22 06/21/2018 12:46:22 krbtgt/idm....@idm.crp > aae$ > much much better, but it's not enough because I can't use TGT. As you can see > I tried to use KCM cache believing that I use native heimdal KCM server on my > Mac, but without success: I do not see any valid tickets here > /System/Library/CoreServices/<Ticket Viewer> and of course don't have > kerberos related access to corporate resources. > ---------------------------------------------- > > > Any help is appreciated. Possible directions/ideas how to implement 2FA on > Mac OS without hacks? > > I have successfully setup linux using pam-krb5 and anon_fast option. > > References: > [1] https://www.redhat.com/archives/freeipa-users/2016-December/msg00214.html > [2] https://www.redhat.com/archives/freeipa-users/2016-December/msg00219.html > > -- > Oleksandr Yermolenko > systems engineer > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/DK5AFM2KZS4AYETQYLZTSDQZ3KCI4YKP/ _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/5IXVMH3XIS72ILD5KRQHADOKG4UAJLY7/
