[39015] in Kerberos
Re: 2FA with krb5
daemon@ATHENA.MIT.EDU (Simo Sorce)
Thu Oct 7 15:38:26 2021
Message-ID: <380d6720b77f3e741f334afc9fda20bdf75b68f0.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>, Russ Allbery <eagle@eyrie.org>
Date: Thu, 07 Oct 2021 15:35:41 -0400
In-Reply-To: <202110071914.197JEXTD007325@hedwig.cmf.nrl.navy.mil>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, 2021-10-07 at 15:14 -0400, Ken Hornstein wrote:
> > Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
> >
> > > I am not sure of the client coverage of the OTP FAST factor,
> > > though.
> >
> > For what it's worth, although my pam-krb5 module implements FAST
> > including
> > both keyed and anonymous FAST, it does not implement FAST OTP.
> > This is
> > because (a) I didn't find any documentation of what I was supposed
> > to do
> > as a client (it's been years since I looked so this quite possibly
> > has
> > changed),
>
> Huh, I _kinda_ thought that if you had FAST going, you got FAST OTP
> (on
> the client at least) for free! Which shows what I know. Maybe it
> works
> already and you never tested it?
>
> > and (b) attempting to set up a reasonable test environment
> > looked painful. In particular, there was (at the time, again
> > haven't
> > checked recently) a lot of hand-waving about exactly to set up the
> > RADIUS
> > part, since MIT Kerberos just treats it as an oracle.
>
> Right, THIS is actually a huge problem. Like having to set up a
> RADIUS
> server? Ugh. It's also a problem for development! Like the only
> way I have found to effectively test preauth mechanisms is to do
> testing on one of our replica KDCs.
Starting an ad-hoc kdc is pretty easy, I have it done in the make check
phase in many small projects, including starting an ldap server, I
haven't tried radius, but hopefully starting a freeradius server is not
exceedingly hard either.
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos