On 10/16/2015 12:23 PM, Booker Bense wrote: > In poking around on the web, I've found that MIT has some duo integration > for > the kinit program. > > Is there any docmentation available on how this was implemented?
It's a custom kdcpreauth module using the SAM-2 mechanism, with repeated KDC_ERR_PREAUTH_REQUIRED responses and KDC state. We are hoping to make it open source at some point, but need to do some cleanup first. The security properties of SAM-2 aren't great, and it isn't implemented in any krb5 implementation other than MIT's. We are also working on a SPAKE2-based preauth mechanism which should eventually enable a much better integration of second factors, including Duo. (CC'd Richard Basch as he asked the same question a couple of weeks ago.) ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
