Hello, i have recently reconfigured my MIT-Kerberos setup to use PKINIT / OTP and RADIUS for my admins. In my setup administrators have two accounts: one "username@REALM" for regular user-stuff like mail... and "username/ admin@REALM" for root-logins with ssh and other administrative purposes. This all works just nicely and i am a huge fan. Users can get their tickets with a password & yubikey and then log onto the servers as root.
But since i had to ''kadmin: purgekeys -all user/admin" in order to force them to 2FA i can no longer use "kadmin -p user/admin" from a remote host. root@ldap:~# kadmin -p fe/admin Authenticating as principal fe/admin with password. kadmin: Invalid argument while initializing kadmin interface while my logfiles show: Jan 8 15:38:13 kerberos2 krb5kdc[28363]: AS_REQ xxxxxxxxx: NEEDED_PREAUTH: fe/ad...@w7k.de for kadmin/ad...@w7k.de, Additional pre-authentication required I have not changed the kadm5.acl on the kdc/kadmin so they should still be allowed to do this (*/admin * ) I guess the problem is, that the kadmin-tool does not understand how to provide the preauth (just like kinit would without the otp module). So my question is: Did i miss anything? Is there any possibility to use kadmin remotely with otp/2FA? Or is this not possible at the moment and users have to use kadmin.local? Best Regards Felix Weissbeck ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
