[39011] in Kerberos
Re: 2FA with krb5
daemon@ATHENA.MIT.EDU (Russ Allbery)
Thu Oct 7 14:53:09 2021
From: Russ Allbery <eagle@eyrie.org>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
In-Reply-To: <202110070127.1971R4KA032759@hedwig.cmf.nrl.navy.mil> (Ken
Hornstein's message of "Wed, 06 Oct 2021 21:27:04 -0400")
Date: Thu, 07 Oct 2021 11:50:37 -0700
Message-ID: <87pmsgpt36.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
> I am not sure of the client coverage of the OTP FAST factor, though.
For what it's worth, although my pam-krb5 module implements FAST including
both keyed and anonymous FAST, it does not implement FAST OTP. This is
because (a) I didn't find any documentation of what I was supposed to do
as a client (it's been years since I looked so this quite possibly has
changed), and (b) attempting to set up a reasonable test environment
looked painful. In particular, there was (at the time, again haven't
checked recently) a lot of hand-waving about exactly to set up the RADIUS
part, since MIT Kerberos just treats it as an oracle.
I haven't checked if sssd supports FAST OTP. That seems much more likely
given that they probably have enterprise use cases that would warrant
implementing it.
I'd be happy to take pull requests since I try to make pam-krb5 reasonably
completionist as a hobby (although be aware that it's a purely hobby
project at this point), but they would need to include changes to the ci
directory to set up the KDC and RADIUS server appropriately so that the
test suite could do a proper end-to-end integration test.
--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
