(Not subscribed, please Cc me on replies)
Hi all,
I'm trying to set up the MIT KDC with support for OTP tokens (yubikeys
in my case, as a single factor, at least initially). I have the entire
bit from the RADIUS server and backwards working correctly, but I can't
get the KDC to see replies from the RADIUS server, it complains about
«connection timed out». Platform in Debian jessie with the packaged
1.12.1, but I see the same problem with a 1.13 tar.gz build.
The problem also shows itself when running the t_otp test (where I had
to change the type of User-Password to octets instead of string, but I
doubt that's the problem):
: tfheen@xoog ..5-1.12.1+dfsg/build/tests > PYTHONPATH=../../src/util
VALGRIND="" python ../../src/tests/t_otp.py -v
*** [1] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/dbutil/kdb5_util create
-W -s -P master
Loading random data
Initializing database '/etc/krb5kdc/principal' for realm 'KRBTEST.COM',
master key name 'K/m...@krbtest.com'
*** [1] Completed with return code 0
*** [2] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/cli/kadmin.local -q
addprinc -pw user4812 u...@krbtest.com
WARNING: no policy specified for u...@krbtest.com; defaulting to no policy
Authenticating as principal tfheen/ad...@krbtest.com with password.
Principal "u...@krbtest.com" created.
*** [2] Completed with return code 0
*** [3] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/cli/kadmin.local -q
addprinc -pw admin4812 user/ad...@krbtest.com
WARNING: no policy specified for user/ad...@krbtest.com; defaulting to no policy
Authenticating as principal tfheen/ad...@krbtest.com with password.
Principal "user/ad...@krbtest.com" created.
*** [3] Completed with return code 0
*** [4] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/cli/kadmin.local -q
addprinc -randkey host/xoog.err...@krbtest.com
WARNING: no policy specified for host/xoog.err...@krbtest.com; defaulting to no
policy
Authenticating as principal tfheen/ad...@krbtest.com with password.
Principal "host/xoog.err...@krbtest.com" created.
*** [4] Completed with return code 0
*** [5] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/cli/kadmin.local -q ktadd
-k /tmp/krb5-1.12.1+dfsg/build/tests/testdir/keytab -norandkey
host/xoog.err...@krbtest.com
Authenticating as principal tfheen/ad...@krbtest.com with password.
Entry for principal host/xoog.err...@krbtest.com with kvno 1, encryption type
aes256-cts-hmac-sha1-96 added to keytab
WRFILE:/tmp/krb5-1.12.1+dfsg/build/tests/testdir/keytab.
Entry for principal host/xoog.err...@krbtest.com with kvno 1, encryption type
aes128-cts-hmac-sha1-96 added to keytab
WRFILE:/tmp/krb5-1.12.1+dfsg/build/tests/testdir/keytab.
Entry for principal host/xoog.err...@krbtest.com with kvno 1, encryption type
des3-cbc-sha1 added to keytab
WRFILE:/tmp/krb5-1.12.1+dfsg/build/tests/testdir/keytab.
Entry for principal host/xoog.err...@krbtest.com with kvno 1, encryption type
arcfour-hmac added to keytab
WRFILE:/tmp/krb5-1.12.1+dfsg/build/tests/testdir/keytab.
*** [5] Completed with return code 0
*** [6] Starting: /tmp/krb5-1.12.1+dfsg/build/kdc/krb5kdc -n
krb5kdc: starting...
*** [6] Started with pid 4818
*** [7] Executing: /tmp/krb5-1.12.1+dfsg/build/clients/kinit/kinit
u...@krbtest.com
Password for u...@krbtest.com:
*** [7] Completed with return code 0
*** [8] Executing: /tmp/krb5-1.12.1+dfsg/build/clients/klist/klist
/tmp/krb5-1.12.1+dfsg/build/tests/testdir/ccache
Ticket cache: FILE:/tmp/krb5-1.12.1+dfsg/build/tests/testdir/ccache
Default principal: u...@krbtest.com
Valid starting Expires Service principal
12/22/14 11:45:10 12/23/14 11:45:10 krbtgt/krbtest....@krbtest.com
*** [8] Completed with return code 0
*** [9] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/cli/kadmin.local -q
modprinc +requires_preauth u...@krbtest.com
Authenticating as principal user/ad...@krbtest.com with password.
Principal "u...@krbtest.com" modified.
*** [9] Completed with return code 0
*** [10] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/cli/kadmin.local -q
setstr u...@krbtest.com otp "[{""type"": ""udp"", ""username"": ""custom""}]"
Authenticating as principal user/ad...@krbtest.com with password.
Attribute set for principal "u...@krbtest.com".
*** [10] Completed with return code 0
*** [11] Executing: /tmp/krb5-1.12.1+dfsg/build/clients/kinit/kinit -T
/tmp/krb5-1.12.1+dfsg/build/tests/testdir/ccache u...@krbtest.com
Enter OTP Token Value:
kinit: Preauthentication failed while getting initial credentials
*** [11] Completed with return code 1
*** [12] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/cli/kadmin.local -q
setstr u...@krbtest.com otp "[{""type"": ""udp""}]"
Authenticating as principal user/ad...@krbtest.com with password.
Attribute set for principal "u...@krbtest.com".
*** [12] Completed with return code 0
*** [13] Executing: /tmp/krb5-1.12.1+dfsg/build/clients/kinit/kinit -T
/tmp/krb5-1.12.1+dfsg/build/tests/testdir/ccache u...@krbtest.com
Enter OTP Token Value:
kinit: Preauthentication failed while getting initial credentials
*** [13] Completed with return code 1
*** Failure: /tmp/krb5-1.12.1+dfsg/build/clients/kinit/kinit failed with code 1.
Use --debug=NUM to run a command under a debugger. Use
--stop-after=NUM to stop after a daemon is started in order to
attach to it with a debugger. Use --help to see other options.
: tfheen@xoog ..5-1.12.1+dfsg/build/tests > cat testdir/kdc.log
otp: Loaded
Dec 22 11:45:10 xoog krb5kdc[4818](info): setting up network...
Dec 22 11:45:10 xoog krb5kdc[4818](info): listening on fd 12: udp 0.0.0.0.61000
(pktinfo)
krb5kdc: setsockopt(13,IPV6_V6ONLY,1) worked
krb5kdc: Invalid argument - Cannot request packet info for udp socket address
:: port 61000
Dec 22 11:45:10 xoog krb5kdc[4818](info): skipping unrecognized local address
family 17
Dec 22 11:45:10 xoog krb5kdc[4818](info): skipping unrecognized local address
family 17
krb5kdc: setsockopt(13,IPV6_V6ONLY,1) worked
Dec 22 11:45:10 xoog krb5kdc[4818](info): listening on fd 13: udp
2001:840:4007:8:76d0:2bff:fe95:471b.61000
krb5kdc: setsockopt(14,IPV6_V6ONLY,1) worked
Dec 22 11:45:10 xoog krb5kdc[4818](info): listening on fd 14: udp
2001:840:4007:8::123.61000
krb5kdc: setsockopt(15,IPV6_V6ONLY,1) worked
Dec 22 11:45:10 xoog krb5kdc[4818](info): listening on fd 15: udp
fe80::76d0:2bff:fe95:471b%eth0.61000
krb5kdc: setsockopt(16,IPV6_V6ONLY,1) worked
Dec 22 11:45:10 xoog krb5kdc[4818](info): listening on fd 17: tcp 0.0.0.0.61000
Dec 22 11:45:10 xoog krb5kdc[4818](info): listening on fd 16: tcp ::.61000
Dec 22 11:45:10 xoog krb5kdc[4818](info): set up 6 sockets
Dec 22 11:45:10 xoog krb5kdc[4818](info): commencing operation
Dec 22 11:45:10 xoog krb5kdc[4818](info): AS_REQ (6 etypes {18 17 16 23 25 26})
127.0.0.1: ISSUE: authtime 1419245110, etypes {rep=18 tkt=18 ses=18},
u...@krbtest.com for krbtgt/krbtest....@krbtest.com
Dec 22 11:45:10 xoog krb5kdc[4818](info): AS_REQ (6 etypes {18 17 16 23 25 26})
127.0.0.1: NEEDED_PREAUTH: u...@krbtest.com for krbtgt/krbtest....@krbtest.com,
Additional pre-authentication required
Dec 22 11:45:11 xoog krb5kdc[4818](info): DISPATCH: repeated (retransmitted?)
request from 127.0.0.1, resending previous response
Dec 22 11:45:11 xoog krb5kdc[4818](info): closing down fd 19
Dec 22 11:45:14 xoog krb5kdc[4818](info): preauth (otp) verify failure:
Connection timed out
Dec 22 11:45:14 xoog krb5kdc[4818](info): AS_REQ (6 etypes {18 17 16 23 25 26})
127.0.0.1: PREAUTH_FAILED: u...@krbtest.com for krbtgt/krbtest....@krbtest.com,
Preauthentication failed
Dec 22 11:45:14 xoog krb5kdc[4818](info): AS_REQ (6 etypes {18 17 16 23 25 26})
127.0.0.1: NEEDED_PREAUTH: u...@krbtest.com for krbtgt/krbtest....@krbtest.com,
Additional pre-authentication required
Dec 22 11:45:15 xoog krb5kdc[4818](info): DISPATCH: repeated (retransmitted?)
request from 127.0.0.1, resending previous response
Dec 22 11:45:15 xoog krb5kdc[4818](info): closing down fd 19
Dec 22 11:45:18 xoog krb5kdc[4818](info): preauth (otp) verify failure:
Connection timed out
Dec 22 11:45:18 xoog krb5kdc[4818](info): AS_REQ (6 etypes {18 17 16 23 25 26})
127.0.0.1: PREAUTH_FAILED: u...@krbtest.com for krbtgt/krbtest....@krbtest.com,
Preauthentication failed
Dec 22 11:45:18 xoog krb5kdc[4818](debug): Got signal to request exit
Dec 22 11:45:18 xoog krb5kdc[4818](info): closing down fd 16
Dec 22 11:45:18 xoog krb5kdc[4818](info): closing down fd 17
Dec 22 11:45:18 xoog krb5kdc[4818](info): closing down fd 15
Dec 22 11:45:18 xoog krb5kdc[4818](info): closing down fd 14
Dec 22 11:45:18 xoog krb5kdc[4818](info): closing down fd 13
Dec 22 11:45:18 xoog krb5kdc[4818](info): closing down fd 12
Dec 22 11:45:18 xoog krb5kdc[4818](info): shutting down
Ideas?
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
