[39026] in Kerberos
Re: 2FA with krb5
daemon@ATHENA.MIT.EDU (Charles Hedrick)
Fri Oct 15 16:55:59 2021
From: Charles Hedrick <hedrick@rutgers.edu>
In-Reply-To: <87lf34prw2.fsf@hope.eyrie.org>
Date: Fri, 15 Oct 2021 16:52:56 -0400
Message-ID: <66D2C934-E3FF-4A81-9576-B32396A98000@rutgers.edu>
To: Russ Allbery <eagle@eyrie.org>
MIME-Version: 1.0
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
We use TOTP. That allows us to tack the token on the end of the password. That makes it easy to fix programs that expect a simple password prompt.
In fact I have a wrapper that can be interposed around pretty much anything use LD_PRELOAD.
https://github.com/clhedrick/kerberos/blob/master/radius-wrap/radius-wrap.c
> On Oct 7, 2021, at 3:16 PM, Russ Allbery <eagle@eyrie.org> wrote:
>
> Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
>
>> Huh, I _kinda_ thought that if you had FAST going, you got FAST OTP (on
>> the client at least) for free! Which shows what I know. Maybe it works
>> already and you never tested it?
>
> The bit that I suspect doesn't work is all the interactions between the
> prompting and the prompt control options like use_first_pass.
>
> --
> Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
