Hi, Am Freitag, 7. Juli 2017, 07:54:19 CEST schrieb Brennecke, Simon: > Here is were I am a bit unsure now. I kinda expect "kinit -p simon" now to > either ask me for my password AND my OTP token, or at least fail with some > error message. But instead it succeeds if I just enter my password.
As far as i understand the pre-auth, it succeeds if you enter a correct password OR if the radius-authentication is successful. One solution is to remove the password from the kerberos database, so it only works if the radius auth is successful. kadmin -q 'purgekeys -all YOUR_PRINCNAME' (see: https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html) The "problem" hereby is, that you can now obtain a kerberos ticket with your second factor alone; so you could configure PAM to successfully authenticate with password+token. I have a setup that asks for a password plus (yubikey or google-auth). The PAM-configuration looks like this: auth [success=2 default=ignore] pam_google_authenticator.so try_first_pass forward_pass auth [success=1 default=ignore] pam_yubico.so id=2 authfile=/etc/ yubikeyid url=http://127.0.0.1/wsapi/2.0/verify?id=%d&otp=%s try_first_pass auth requisite pam_deny.so auth [success=1 default=ignore] pam_unix.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so > Also can sombody explain how this integrates with PAM-kerberos on a client > machine? Will PAM then prompt the user for the OTP token and password? The authentication works with passwordotp suplied as one string. Hope this helps. If anyone has a better approach please let me know. Best regards Felix ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
