On Thu, 2021-10-07 at 15:14 -0400, Ken Hornstein wrote: > > Ken Hornstein <k...@cmf.nrl.navy.mil> writes: > > > > > I am not sure of the client coverage of the OTP FAST factor, > > > though. > > > > For what it's worth, although my pam-krb5 module implements FAST > > including > > both keyed and anonymous FAST, it does not implement FAST OTP. > > This is > > because (a) I didn't find any documentation of what I was supposed > > to do > > as a client (it's been years since I looked so this quite possibly > > has > > changed), > > Huh, I _kinda_ thought that if you had FAST going, you got FAST OTP > (on > the client at least) for free! Which shows what I know. Maybe it > works > already and you never tested it? > > > and (b) attempting to set up a reasonable test environment > > looked painful. In particular, there was (at the time, again > > haven't > > checked recently) a lot of hand-waving about exactly to set up the > > RADIUS > > part, since MIT Kerberos just treats it as an oracle. > > Right, THIS is actually a huge problem. Like having to set up a > RADIUS > server? Ugh. It's also a problem for development! Like the only > way I have found to effectively test preauth mechanisms is to do > testing on one of our replica KDCs.
Starting an ad-hoc kdc is pretty easy, I have it done in the make check phase in many small projects, including starting an ldap server, I haven't tried radius, but hopefully starting a freeradius server is not exceedingly hard either. Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
