[39013] in Kerberos
Re: 2FA with krb5
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Thu Oct 7 15:17:35 2021
Message-ID: <202110071914.197JEXTD007325@hedwig.cmf.nrl.navy.mil>
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
To: Russ Allbery <eagle@eyrie.org>
In-Reply-To: <87pmsgpt36.fsf@hope.eyrie.org>
MIME-Version: 1.0
Date: Thu, 07 Oct 2021 15:14:33 -0400
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
>
>> I am not sure of the client coverage of the OTP FAST factor, though.
>
>For what it's worth, although my pam-krb5 module implements FAST including
>both keyed and anonymous FAST, it does not implement FAST OTP. This is
>because (a) I didn't find any documentation of what I was supposed to do
>as a client (it's been years since I looked so this quite possibly has
>changed),
Huh, I _kinda_ thought that if you had FAST going, you got FAST OTP (on
the client at least) for free! Which shows what I know. Maybe it works
already and you never tested it?
>and (b) attempting to set up a reasonable test environment
>looked painful. In particular, there was (at the time, again haven't
>checked recently) a lot of hand-waving about exactly to set up the RADIUS
>part, since MIT Kerberos just treats it as an oracle.
Right, THIS is actually a huge problem. Like having to set up a RADIUS
server? Ugh. It's also a problem for development! Like the only
way I have found to effectively test preauth mechanisms is to do
testing on one of our replica KDCs.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
