[39017] in Kerberos
Re: 2FA with krb5
daemon@ATHENA.MIT.EDU (Jochen Kellner)
Thu Oct 7 17:13:35 2021
From: Jochen Kellner <jochen@jochen.org>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Date: Thu, 07 Oct 2021 21:29:57 +0200
In-Reply-To: <202110071835.197IZZDh007055@hedwig.cmf.nrl.navy.mil> (Ken
Hornstein's message of "Thu, 07 Oct 2021 14:35:35 -0400")
Message-ID: <83wnmo8wga.fsf@jochen.org>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
>>I've been running Privacyidea (https://www.privacyidea.org/) for some
>>time to manage the tokens. Exposed the Application with RADIUS and told
>>FreeIPA to authenticate against RADIUS. Had some rough edges, but was
>>usable for me and is able to manage many kinds of tokens.
>
> So what's the _client_ look like? Specifically, are you doing FAST-OTP?
> If so, what client software are you using? Does this only work on
> systems with host keys, or do you do anonymous PKINIT?
I mostly use sssd and kinit. I'm not sure what sssd uses, but I remember
traces from kinit using PKINIT. These two clients worked well for me.
Other clients (java applications) had problems with OTP. See
https://lists.jboss.org/pipermail/keycloak-user/2018-January/012759.html
for the analysis we did there.
As you said - with the "right" clients it might work. Otherwise you
might be stuck.
Jochen
--
This space is intentionally left blank.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
