Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

With all the fancy scientists in the world, why can't they just once build a nuclear balm?

devel / comp.protocols.kerberos / Re: 2FA with krb5

SubjectAuthor
o Re: 2FA with krb5Jochen Kellner

1
Re: 2FA with krb5

<mailman.1.1633631069.13936.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=161&group=comp.protocols.kerberos#161

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.pch.mit.edu!not-for-mail
From: jochen@jochen.org (Jochen Kellner)
Newsgroups: comp.protocols.kerberos
Subject: Re: 2FA with krb5
Date: Thu, 07 Oct 2021 19:35:59 +0200
Organization: TNet Consulting
Lines: 33
Message-ID: <mailman.1.1633631069.13936.kerberos@mit.edu>
References: <5ee92454-ec38-d5de-5b36-4b2d87fd7f@prime.gushi.org>
<202110070127.1971R4KA032759@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="pch.mit.edu:18.7.21.50";
logging-data="19176"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cc: kerberos@mit.edu
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=BErgzpJ/etEsTVvjl8ZWGP0x/kNBdwBBv1moSeFIme7SfmriM+fpJVKVps/l8SP0ZT7y2E42GehN7Dm2hufgBiT/CLfIXVAm8pTvv+r+xVuFgfvvMtCzPcD3Dvgbaaqe2w7hkmEH48S3qGfAGPKSSyf5duZ2AZryuR7kyCHiBrgWZzKPMUE4hlDOZezDiZFVVHdWsdK4FYKokavrSNfXRYnXPOCS+zG49k5utn8m/27TWMjzE9ivc9HWsMvMn6FSnUUQbzFBnE7XD3B3BipZwiGjFAWFyhtTChpbYo0lRuKDn25WUmfS/ZIoKoKaQFll0WGgA/D6NqxNff6Znof5Jw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=SBxH3ssrrRSyGNlW+GHk1I3ahI5VWmq+qZNyG0sBFgI=;
b=WuLgr/7+N8j0On+1FtElL3EF3t1T+h6M4YudRVc2QgVKifrvrDdXAj4r4g47UNrxklEhW8DRujvERmwOo6rOWfBm8z4NfXIg/MDhd0fVwGGONf9LrZwbdvjG8aXzMjmlh0PjsEh1rutcdZW6qA7uhEJoBZqqKAXfDIFkrMkG2DzSZs6x59owsnlzM5BtaIEd/q0hpj6+VBtl97J9P8SNSPNcjwJXyDW1f4WlaLD8NFiAhUTgvZZh9g1Eaa+Czz54pFdL/Lhd17VSriN7a9OES7usUXrAh74YZ+LCk04M1ToxyuGqIrMuhRQJMQwTcCChwMPDCPb3UugInot/aJoRjA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=SBxH3ssrrRSyGNlW+GHk1I3ahI5VWmq+qZNyG0sBFgI=;
b=DJX+v53pyq/8XnklAXBmOVLuIdIegSdNckCv1DM0vFd1n6tOlVj4CCNZtrObC6lUtuavW+lpgJ5dOPnG3tgafm9WkPZALQD3s0OAkLdh0hFjkqvDoKInNZlKvk283S3ahcuwizcniPmq/mdHpVC5g6earMSmfIQfT3ROBH5446c=
Authentication-Results: spf=none (sender IP is 89.1.8.213)
smtp.mailfrom=jochen.org; mit.edu; dkim=none (message not signed)
header.d=none;mit.edu; dmarc=none action=none header.from=jochen.org;
Received-SPF: None (protection.outlook.com: jochen.org does not designate
permitted sender hosts)
In-Reply-To: <202110070127.1971R4KA032759@hedwig.cmf.nrl.navy.mil> (Ken
Hornstein's message of "Wed, 06 Oct 2021 21:27:04 -0400")
X-NetCologne-Spam: L
X-Rspamd-Queue-Id: 66FC111D86
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 2f74b056-8fcb-4cd4-232e-08d989b8f371
X-MS-TrafficTypeDiagnostic: BL0PR01MB5073:
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <BL0PR01MB5073D6AFBC9384043FF01360AEB19@BL0PR01MB5073.prod.exchangelabs.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8273;
X-MS-Exchange-SenderADCheck: 2
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: trfEwXCrQ5whyLZmGv9Yf+Xl5wIbeaxzHrLVisN1XQcR5R0o+2VIWaqQIR8xlfCA5/tD1GOiFhBPckVt0H3m2YbY1OYmI3nBOSRQ2rpRFaAaxKRoL5LrnRyDrc2au6Z6x0/SpSQbGQQ6giflVE6w9vjN00TeH5S0JXvfPpFxL3wx6S+XgTJIih+m/UhraY9zLuBM94AyD+0PWxeTPeDGLEiSDXEVxATvdxF0TnWHXSR6LbBcyhD5D5xyFHg7samyP2zYx2CZXER6KbS/R4OAsZQxDkF/+DE6HmEVI7JkM2vYlg+rQjbkG4VG0lCxY/wCRqDk6wuqRQHJng4lMxQ6Rdy4OIb4k8sV+LXKvJb3wMDKcHJPdP7TZ34WZOt5oYQ1+mPHcjAVSA4wuRvZcjQqXwvN0Hdjp6x9aVsSwDIO0u7dXKLZZ8P+GrLO9RYXFoBgu76MISt50tn+cCxhMT1t8Uk3CbUaA7SLrHWW8igrRFINOze5bPlH1VAtvOQsvtfR4Aiz21z47obz+BWz4cP+nMcIrQD3GUPw2Gmut76GRtHht5+kf5Lmm8QOUOrl9CE2q6ZTd2zBviIIhlkmKxQ5OfdlmndswmqKBj34CAnYHcnihB1+pq6c93zSO+ZlbBhjSPhjb1ig5Cfh20taYMS0xtA/4PF01JWwN2g4Nvx1CXi5NWJb9T4DrNCGZEg8Vs/YPmImSFlAFMBXV539wJWIAw==
X-Forefront-Antispam-Report: CIP:89.1.8.213; CTRY:DE; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:cc-smtpout3.netcologne.de;
PTR:cc-smtpout3.netcologne.de; CAT:NONE;
SFS:(4636009)(6266002)(2160300002)(26005)(508600001)(5660300002)(83380400001)(2906002)(4744005)(68406010)(70586007)(86362001)(8676002)(786003)(7696005)(36756003)(426003)(6862004)(336012)(356005)(7596003)(7636003)(2616005)(4326008)(6966003)(316002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-Forked: True
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Oct 2021 17:36:09.8572 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 2f74b056-8fcb-4cd4-232e-08d989b8f371
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT048.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR01MB5073
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Mailman-Approved-At: Thu, 07 Oct 2021 14:24:29 -0400
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
 by: Jochen Kellner - Thu, 7 Oct 2021 17:35 UTC

Hi,

[I'm running Kerberos inside FreeIPA, so plain Kerberos might be
different...]

Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:

>>We'd like to be able to leverage 2fa for some services (admins) and some
>>services (ssh logins) but not have to pump a 2fa code into, say, our mail
>>applications. Is there a way to make the acquisition of a TGT (for GSSAPI
>>authentication) vs Password Authentication require 2fa?
>
> Yes (I'll explain more below).
>
>>That's complication number one.
>>
>>Complication number 2 is something like "SecurID is *expensive* for a
>>fairly small (<10) admin team."
>
> Yeah, tell me about it.

I've been running Privacyidea (https://www.privacyidea.org/) for some
time to manage the tokens. Exposed the Application with RADIUS and told
FreeIPA to authenticate against RADIUS. Had some rough edges, but was
usable for me and is able to manage many kinds of tokens.

Will it work for you? Maybe...

Jochen

--
This space is intentionally left blank.

devel / comp.protocols.kerberos / Re: 2FA with krb5

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor