Re: [EXTERNAL] Re: FAST OTP

Sat, 27 Aug 2016 18:15:16 -0700 

Thanks to Dio I was able to get the Pkinit Anonymous working to enable the 
armor key.   I noticed that RedHat 7 supports OTP in Kerberos and the kinit 
works fine.   You do need to force TCP for Kerberos,  since the radius 
transaction can take longer than a second to complete at times. Using UDP I was 
getting a failure on the RH7 system (a VM on my laptop) because the initial 
AS_REQ did not complete until after a second AS_REQ was sent, which failed, 
while the first came back successful.   

Next step was to be able to use it for login/sudo.    I modified the pam_krb5 
step to below in system-auth.   What I see on the KDC are only encrypted 
timestamp preauth.  

Can RHEL7 pam_krb5 do OTP?

       auth        [success=done authinfo_unavail=ignore new_authtok_reqd=ok 
ignore=ignore default=die]    pam_krb5.so no_initial_prompt 
no_subsequent_prompt armor=true armor_strategy=pkinit


Any help would be appreciated.


Glenn




On 8/26/16, 4:09 PM, "kerberos-boun...@mit.edu on behalf of Dmitri Pal" 
<kerberos-boun...@mit.edu on behalf of d...@redhat.com> wrote:

    On 08/26/2016 04:38 PM, Diogenes Jesus wrote:
    >
    >> I was able to configure a krb5-1.14.2 KDC to use FAST OTP with an RSA 
Authentication Manager Radius server.
    >>
    >> I have a couple of questions:
    >>
    >>
    >> ยท         FAST requires an existing ticket cache.  If you need a TGT to 
get a FAST OTP TGT how do you do that?
    > One way is to enable Anonymous support 
(http://k5wiki.kerberos.org/wiki/Anonymous_kerberos) - DONT forget to restrict 
anonymous to tgt only on your kdcs!
    >
    > Dio
    >
    > ________________________________________________
    > Kerberos mailing list           Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >
    OK you can use host key to armor the FAST tunnel for a client system if
    your host is also a part of the Kerberos realm.
    You can check FreeIPA project, there all these pieces are integrated and
    automated.
    
    -- 
    Thank you,
    Dmitri Pal
    
    Engineering Director, Identity Management and Platform Security
    Red Hat, Inc.
    
    ________________________________________________
    Kerberos mailing list           Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos
    



________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to