[39012] in Kerberos
Re: 2FA with krb5
daemon@ATHENA.MIT.EDU (Simo Sorce)
Thu Oct 7 15:09:17 2021
Message-ID: <2d2f475461321969c4ea7146930bb4c2a08533c2.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Russ Allbery <eagle@eyrie.org>, Ken Hornstein <kenh@cmf.nrl.navy.mil>
Date: Thu, 07 Oct 2021 15:06:14 -0400
In-Reply-To: <87pmsgpt36.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, 2021-10-07 at 11:50 -0700, Russ Allbery wrote:
> Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
>
> > I am not sure of the client coverage of the OTP FAST factor, though.
>
> For what it's worth, although my pam-krb5 module implements FAST including
> both keyed and anonymous FAST, it does not implement FAST OTP. This is
> because (a) I didn't find any documentation of what I was supposed to do
> as a client (it's been years since I looked so this quite possibly has
> changed), and (b) attempting to set up a reasonable test environment
> looked painful. In particular, there was (at the time, again haven't
> checked recently) a lot of hand-waving about exactly to set up the RADIUS
> part, since MIT Kerberos just treats it as an oracle.
It is somewhat documented, but see below.
> I haven't checked if sssd supports FAST OTP. That seems much more likely
> given that they probably have enterprise use cases that would warrant
> implementing it.
It does, and FreeIPA implements the server part, so you can look there
for examples and testing capabilities if you are so inclined.
> I'd be happy to take pull requests since I try to make pam-krb5 reasonably
> completionist as a hobby (although be aware that it's a purely hobby
> project at this point), but they would need to include changes to the ci
> directory to set up the KDC and RADIUS server appropriately so that the
> test suite could do a proper end-to-end integration test.
HTH,
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
