On 08/27/2016 09:10 PM, Machin, Glenn D wrote: > Thanks to Dio I was able to get the Pkinit Anonymous working to enable the > armor key. I noticed that RedHat 7 supports OTP in Kerberos and the kinit > works fine. You do need to force TCP for Kerberos, since the radius > transaction can take longer than a second to complete at times. Using UDP I > was getting a failure on the RH7 system (a VM on my laptop) because the > initial AS_REQ did not complete until after a second AS_REQ was sent, which > failed, while the first came back successful. > > Next step was to be able to use it for login/sudo. I modified the pam_krb5 > step to below in system-auth. What I see on the KDC are only encrypted > timestamp preauth. > > Can RHEL7 pam_krb5 do OTP? > > auth [success=done authinfo_unavail=ignore new_authtok_reqd=ok > ignore=ignore default=die] pam_krb5.so no_initial_prompt > no_subsequent_prompt armor=true armor_strategy=pkinit
SSSD rather than pam_krb5. https://fedorahosted.org/sssd/ You an fact need to use TCP for the reasons you described and SSSD does it for you. RHEL 7 also has IdM (open source project is FreeIPA http://www.freeipa.org/page/Main_Page) that includes MIT Kerberos server as part of its domain controller offering which is free. All the manual things you are exploring now are taken care for you in RHEL 7, Fedora and CentOS using IdM/FreeIPA and its client that configures SSSD, Kerberos client, DNS and other parts of the system. Thanks Dmitri > > Any help would be appreciated. > > > Glenn > > > > > On 8/26/16, 4:09 PM, "kerberos-boun...@mit.edu on behalf of Dmitri Pal" > <kerberos-boun...@mit.edu on behalf of d...@redhat.com> wrote: > > On 08/26/2016 04:38 PM, Diogenes Jesus wrote: > > > >> I was able to configure a krb5-1.14.2 KDC to use FAST OTP with an RSA > Authentication Manager Radius server. > >> > >> I have a couple of questions: > >> > >> > >> ยท FAST requires an existing ticket cache. If you need a TGT > to get a FAST OTP TGT how do you do that? > > One way is to enable Anonymous support > (http://k5wiki.kerberos.org/wiki/Anonymous_kerberos) - DONT forget to > restrict anonymous to tgt only on your kdcs! > > > > Dio > > > > ________________________________________________ > > Kerberos mailing list Kerberos@mit.edu > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > OK you can use host key to armor the FAST tunnel for a client system if > your host is also a part of the Kerberos realm. > You can check FreeIPA project, there all these pieces are integrated and > automated. > > -- > Thank you, > Dmitri Pal > > Engineering Director, Identity Management and Platform Security > Red Hat, Inc. > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Thank you, Dmitri Pal Engineering Director, Identity Management and Platform Security Red Hat, Inc. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
