Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

1: No code table for op: ++post

devel / comp.protocols.kerberos / Re: 2FA with krb5

SubjectAuthor
o Re: 2FA with krb5Charles Hedrick

1
Re: 2FA with krb5

<mailman.2.1634343737.15600.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=181&group=comp.protocols.kerberos#181

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.pch.mit.edu!not-for-mail
From: hedrick@rutgers.edu (Charles Hedrick)
Newsgroups: comp.protocols.kerberos
Subject: Re: 2FA with krb5
Date: Sat, 16 Oct 2021 00:22:11 +0000
Organization: TNet Consulting
Lines: 27
Message-ID: <mailman.2.1634343737.15600.kerberos@mit.edu>
References: <5ee92454-ec38-d5de-5b36-4b2d87fd7f@prime.gushi.org>
<202110070127.1971R4KA032759@hedwig.cmf.nrl.navy.mil>
<87pmsgpt36.fsf@hope.eyrie.org>
<202110071914.197JEXTD007325@hedwig.cmf.nrl.navy.mil>
<87lf34prw2.fsf@hope.eyrie.org>
<66D2C934-E3FF-4A81-9576-B32396A98000@rutgers.edu>
<202110152149.19FLngoW009481@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="pch.mit.edu:18.7.21.50";
logging-data="14684"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
ARC-Seal: i=3; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=cuZfs7tlxWlnec9iuIyaA9LvkxPCpodBROQf/xpfu9WdDhmq1motrRxj7PeL+Zgrua9ITOSwc5Hj3TK7c1M1l9msh1igscvt9SCCtCZ6FT0QtPGoxoBBKWrZ+m9is16j7GmJ3/IhpLAvgIYL8gjT0Eolp6e9g4hGNz0kIoOr+nGhYUK3AKZIW98xc4fvTGN0UKT7idwJbbj2/taZm0cHusS1y3azChMTjNWmQpAKydjiddD7jNJDtoBAcMtISOMgA5fAIkydCbC+NgMKmMpEQs3t4m0DbXuPGASCQcThZ0M/pld8XvKg6QVInL34c+NZhErogqROBO8nwVxmXWcfeQ==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=NLuiin6oE9X2DmM6N1Tj7olE5GAKohlNnnXv+7XBhaQ=;
b=nHihUtGwKnwCkiJR9+QP3cC4tPzmQj7JVsBR5gNSNX95riFVoGSUqIpDjS8l/ZDs3BFtSysBQW0iDIvdRrby1sOpqid/R/NWK65PjjTn9OpdavGWXWVVSZhepCV8fbrHcDsxIVx4YsGj+DnBkUd4hV9DasZ0T4LgRi8orHZF9UR0T/SxNexzlUN9wMAhUUGmUogLFsGkylIc32lqDeIY0RZvV7a4OPoZCqIRO/PCZ/jvXJTIDkGEsN0VrHFO9CpuyhsHNO+0Khc7HUOmNtgNgxlKjl6nYDufyb11A6EsVJrwbJO/FixwUWJR9mkFJEE7KPbWPtS+Hs9vp5GzhcW5Hg==
ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=none (sender ip is
40.107.236.124) smtp.rcpttodomain=mit.edu smtp.mailfrom=rutgers.edu;
dmarc=bestguesspass action=none header.from=rutgers.edu;
dkim=pass (signature
was verified) header.d=rutgers.edu; arc=pass (0 oda=1 ltdi=1
spf=[1,1,smtp.mailfrom=rutgers.edu] dkim=[1,1,header.d=rutgers.edu]
dmarc=[1,1,header.from=rutgers.edu])
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=NLuiin6oE9X2DmM6N1Tj7olE5GAKohlNnnXv+7XBhaQ=;
b=jyZzAMLL2Vcr2qeX+dBvBgK89uiJrNkBSireauJyih2zkZkzaTg4/v5qaXrbmHIOWn6RGH9Qv4QxZ5dkC6c3narcAeiZjAdqlk+0XkG7eHtxOGMFEmyQff0vCPV5LjPlG9O47mDjPpYEXdIh0nS+JTY88DN4s+JyeiVcCLDKFGg=
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=ffuzo1K+OPAKenXvEh/Ud3o8geMMkiMXuc5onQQK+QyJEd+BEwTFncI0liHYBXYz2cxa7WgFKhMMgt9S/pQPYSInHjlD8GCwvn6wkzhV+nBIdteVeczdmz5E7+OfzeAgXYD0YFGJKjKCUxwULWk9nySHk3b55/98NYFlLLP/oMFUE771ptxwpMybqRU0RqinMTIKiAXRBfVhSrwmzPe4ay7TA/xlaD817TJEia9o9y+4VVcjyqiehZs9CiwuKzK7t0o0YFomrZEuqFatKBgacenAqpIFANIM2U7s4Ey4H8Qb8ou2QwtMwFtB0ZnNufM2SCFo6J7agaxztEs9Eg8bGg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=NLuiin6oE9X2DmM6N1Tj7olE5GAKohlNnnXv+7XBhaQ=;
b=PUqf7oiM9791f835mBzXg7HQT5BVGMpUJNBn1jt5siFHNmmrp5k00odlevzALoV37ZL5wzVgu4R0nCHhMiXglp3ZERXdqn4SME7fwVKl54krdLYQ16vs9D/I5w4ytARUptnyJpBNArW2eBUSj0jD5nvRvBO4ND+ZyxkxOMfs1gLFaIIQWkG6iPEaL3+yRc97BRskrd6OuxsydALImP2KwjVMzNnuxKQjdtODOmELScT87S7mz0LwRFNIr2G4ZkQMVgEzHCBepIeVw4ymArgM56ii6uPpb34RsHZg3lKRDOi0FAPnlsVw0aZyr5fkCNt2k70KX6JWNLAw9fhbvxzgrg==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=none (sender ip is
40.107.236.124) smtp.rcpttodomain=mit.edu smtp.mailfrom=rutgers.edu;
dmarc=bestguesspass action=none header.from=rutgers.edu;
dkim=pass (signature
was verified) header.d=rutgers.edu; arc=pass (0 oda=1 ltdi=1
spf=[1,1,smtp.mailfrom=rutgers.edu] dkim=[1,1,header.d=rutgers.edu]
dmarc=[1,1,header.from=rutgers.edu])
Authentication-Results: spf=none (sender IP is 40.107.236.124)
smtp.mailfrom=rutgers.edu; mit.edu; dkim=pass (signature was verified)
header.d=rutgers.edu;mit.edu; dmarc=bestguesspass action=none
header.from=rutgers.edu;
Received-SPF: None (protection.outlook.com: rutgers.edu does not designate
permitted sender hosts)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Q8ONFTRUnrWs8EOUyFqEXlUQ2SSISxGJ+wrDySopx/iTBGKB+G4Q+DfrL/Yhg4fsgw8/sRCKfrqMFWsIzNqLdMuVO6+UBtfX4fLNYNmTTigdueZSxaBlXb3M8DFJEEh2IbWgcPXx62ljKtZXad27+bmgjDn5aGAXvS/e3kaDUTAgNgiIJPMJ7hoZWWPmExLoMiEYHmWeBwZ/7/i0Sgf03Wa7YRjSi2ZTgB0rhCpJ0vFjWALgmv2EDPQRsp/fRamo04CpXpTF9NP+OajQetTQnPMeqhev83VpUFhfoUVJ7oEthMCUEBuso7mGHRlk2FM9f/E9qaDI5DuhD7ET1qeIwA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=NLuiin6oE9X2DmM6N1Tj7olE5GAKohlNnnXv+7XBhaQ=;
b=cYgObE412BQC16en2PcOYW+DaSdtCBpNG4W7FlP2azhMqLqB9HqVvCkbxk+QNILs5NWhOp0dWirGSnlvJ/FGAjjp2ffRbGc1eVy8/T2Pbj53Oq/aCRRU25TZPHB7Qu/U+LHDW1TJgt9YDoEPCfjPRDa80IPi9L8JLTAlUUNeqUooasM5JflhhG0ctcm1Y3JAQ+67d1yGz5NLLscOKkq+KaKeCrg/oGgtkF9QH0vtb6VteAp65y+/65Dn3f0hkIbivFTFmTKUswJvHcOl+EjElCWCWkzHqolMz2H/QnxSq85rVGzgb9WsommzxFh96kiEJwzC16NAeXemkYaBlD/0WA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=rutgers.edu;
dmarc=pass action=none header.from=rutgers.edu;
dkim=pass header.d=rutgers.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rutgers.edu;
s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=NLuiin6oE9X2DmM6N1Tj7olE5GAKohlNnnXv+7XBhaQ=;
b=yLRNBQgS+INQDj3+q0bBOwWEltA9SgOooTpmPTN5SOtTibDBbVKBwwzUCC3/E2fUaj2zZ/iGiMAIL2mEQi/P69sjveIrMmG/gyBNhR4osOi6zcrIro83K3bVTHj2hCWLGFxRTvW0XA/ElDMcoCuvJVdbSdTva6Uxxr07uF/cjAg=
Thread-Topic: 2FA with krb5
Thread-Index: AQHXuvYs9N1m3wsRQEypJRFYeyAaEKvGvvIAgAEk1o6AAAVqgIAAAcvqgAysWACAAA/dAIAAKpqU
In-Reply-To: <202110152149.19FLngoW009481@hedwig.cmf.nrl.navy.mil>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: mit.edu; dkim=none (message not signed)
header.d=none; mit.edu; dmarc=none action=none header.from=rutgers.edu;
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: d8ff4fbb-ea93-442b-80df-08d9903affee
x-ms-traffictypediagnostic: BL0PR14MB2468:|BN3PR01MB2018:
X-Microsoft-Antispam-PRVS: <BN3PR01MB2018290F2DFFFEDE3810CBE9AABA9@BN3PR01MB2018.prod.exchangelabs.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: VUQgHHdd3oa4rOGak+BRBsDYKm7PiA0UqSO8Z29c2wi1U3MMn2sRo+dO4b5wCH6eEp4p7cgc0ST7GFS378ZRob9skVRQmJTF37gJJquiEAKN1biTlDEMRxLJFoksd4OsrP6e4wFIi9VATxETZlWiwdOueVqTydyjdDrVrv5eKoGYWVEGT6SHGMSdYm2DxcBhOUhHgNJjWvoibmpihz8/+vkTQwtCDDHKoNw5+Z1rNOhcWhM3lMTFglFOxJ6PWfKz0ZrrGmsOr9u0CXdHtjU39IQIWqEbGtISSNMnGYVDNHsMuj3FPRpCocVmSHWoPmNIys3rKEaFBsXRzs2viyF9ZXCh6lUcbPNqwyApufFBkpuH+2AWv9bHD5K+7Iw7qbKhoeceNix74/j+B997Wb2MXWPozGc8LTjpgsH3GQORvtPIWcONvtOWPqUd8hfbPLNJDtzzrPLVRvfetQmO/Cr4orr2OuOQoIQU2wk1GIbKHwxwsjU837twwDE89p73N9gzmsn6fxbeI3yxumVrjBkc2FuPwAbhN7DrqYYrDVtl4ahOdII61KofDKfPuQR4zLay9BUB43J9/joMLOa8EMaOWMlQ19mGi7OjO9GmXlTIN0K8ZZu3V3TFEO6oTSiAbesTg4zk4UU4zPdWxkwnjrI+RLDfg21B6c4d9T/WAuyHXoJfAokK+4EjSwHDVFq4hx8r9i6bcsho+6efSkomJNPQRAZ803uQlol9V4/qJ+yDqiw=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en;
SCL:1; SRV:; IPV:NLI; SFV:NSPM;
H:BL0PR14MB3588.namprd14.prod.outlook.com; PTR:; CAT:NONE;
SFS:(4636009)(366004)(186003)(2616005)(71200400001)(38070700005)(26005)(66446008)(75432002)(86362001)(6486002)(8936002)(8676002)(6512007)(4326008)(66946007)(66556008)(2906002)(64756008)(66476007)(36756003)(6916009)(33656002)(5660300002)(6506007)(53546011)(316002)(122000001)(38100700002)(83380400001)(508600001)(76116006)(786003)(45980500001);
DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-Original-0: JKrgMupgYa7sbuoAkSEviAxsCYFCIE7vXPuMVhgU/xKtG
bFKH00u3+gi9pnIe59b4xegMvQo9f6X+yWWZfYkUZEqTR
P/7F6tClJgZws4FPPxcsv7opYNMJtupx4rPA8ZZ+zvMrZ
GLoEsNKPd7jmo5XUkrMs6ws+jZa5SqEo9U8InWKus8SPT
6jSps55YPs4Xhv5GqwVB6e1MPeEXITAOthrdzT2c7yN3x
ULOrdrdU9Dk7xPwSamqULsI8STmfUqslEjuI0NyaI1/CI
S/+EluF4lRIloP9rl7mXJkXoDZSZRZhrTr5Y7uqKIO2op
HVNasiUgiiCGyyrZoBIdmpCN3/DB51rSBqpHuzqaPih/r
V2+qti6m1ggFvdSB96K9tTtJxfOrBYy9FheI48/v4/5pL
i8xEiX5WpW2WBELaO6tzVP9TNaRnPB4Z1PW3RjOKi/uxa
D+YKWRMQthvZCSXoeXt6SSMxDXCqa4e3cLtvqgmMF9oe5
OPzpDktxcDFyH00SiPORIhPqDXDTWe2Pz3RWWzIGorCn+
leCx+4bRT1ImgZ06a07/jysnxsYoSJ2OLKZIdON6VB1EO
9Rx50m74yjDcGvghqA6AD3cDiF1HyfFriUaZqdG5fE2Ic
CFtw7l8Aw8d29Ks3eQ5oWRAFmLCmHYSegeyabdYPz/buk
UXUseSmPtj/GcYuWYcAgXa8oW7VAWOV8J0ERg/WVNQBO8
L9u0R7hVPzusRgGyRpM72MoWGquut5NvkRQxIX48S6i1Y
fSg6x97dUxaYUsqM8do6RufEYZroN52O/duVEvCqSWbps
u03LZPrcbGlWZiUyFWy35Vqng4BUbf5QtLc8nhYK6BOGt
eOhTLpm27HxIVLd5oYasJx+leDAill9zAI2h33zvVKLki
mdm6O75Iz1cpEUDJnQdeN+ChqMrKzd54KmH78C+eYQ1ao
V2VZJRBF6H5huV0BG3DxZjeSycBgO8EA/0JY5zpXQ/57K
pI4+mfw50KhsPc4ILBbMfsTIj444Qr70cZHdgvHNbI3EW
Httsv9R4ikYx2Ggq9lC6JAvEbwnP5XOnyQ44jMm/cDWok
8C6fNyEM+gVyH0nOUVIicG0knVr5tLorXhfb12FLKHlov
HTZVjCA7WvHO1h9krLD5qX0mxtBWx24fi0GUu1aDQfp6j
bjtNUqC9Wm4iW3Yrz6dWKP7TsATu1n1c3czz2PX1qk0/P
24Glb5/4iFOkNyjngyC0bURpkoYsES1oD2L54gVlFYJVO
y2/mA790e+CaUlQE5g2Uz7LqSYM8YNWfgzp9O/P0//Nd9
yAxX7HEkzLeyMs6qOz6DXcoABZExp0I70YUUhxi
x-ms-exchange-transport-forked: True
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR14MB2468
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DM6NAM11FT036.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted: DM6NAM11FT036.eop-nam11.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 88e6e068-c702-4b1c-6794-08d9903aff23
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: W5uhgXLt7+EsyPzaxX0saZxLhMgrJMERrt/dYQd5MO5uoSI2UZXr3QKeP6Fbkx+nCnduGVxTMCvwMF7rA++GQHROX3mIDjoHv/IbmKERpdMK87mgUJsSaYWbGKeyuMggIYAXb1hFudtk0SbP5Gpb3aRzU62WCzdenU3hQtp8AvTb+MG+uHhZhLTVI6vVNEEvIddU/84rSO0fKO2q3CBynAHIoKxwmJa5npqwtRDW4h5hH1F+zLxy5kohrcH4C9UMPOCkv02IM1XQmKTt4WqDvjmBam7so0BX8m1Mbz2imOm184GRk89gZNzlppXioKIfyAlwp+HEsA4BhxROMwh09dBJjfA+15EgZ2ZaSa0EfqgyBd5yPwoUnHy3kBzlafR+BUX75MmG2HVgE4+vhZZkHgry3oaX5tb1neYBH4R5Jlh7z/hwVrhYpz7d5Yt7iC/esu55FvViwjTJD/MElAw7OgqVQAfWWz3S0v2VAByXCG0CW/pTJgMLIivvT5aA5+h7PfTR89odOJEdFT3DHSfxBZLIc5tKbQVVQ4pxOdMLYNxGopqRIEzYqF5teB8PBUXKid6N+HPYBARqgQm2/CZqeMUEGOUCc/mS9vBvoKXcyioXR4G+2kOi0C+pGfTHKZ0VVneMS3fOrrc8vDdJQVU357UcEF9Cw8rqPNxu9pk1s00=
X-Forefront-Antispam-Report: CIP:40.107.236.124; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM;
H:NAM11-BN8-obe.outbound.protection.outlook.com;
PTR:mail-bn8nam11on2124.outbound.protection.outlook.com;
CAT:NONE;
SFS:(4636009)(5660300002)(2906002)(36756003)(68406010)(70586007)(8676002)(2616005)(336012)(26005)(53546011)(6506007)(33656002)(786003)(6486002)(6512007)(316002)(86362001)(83290400002)(83300400002)(356005)(83380400001)(83310400002)(83320400002)(83280400002)(7636003)(4326008)(75432002)(508600001)(6862004)(45980500001);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Oct 2021 00:22:12.4976 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: d8ff4fbb-ea93-442b-80df-08d9903affee
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT036.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR01MB2018
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MIME-Autoconverted: from base64 to 8bit by PCH.mit.edu id 19G0MG70013272
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
 by: Charles Hedrick - Sat, 16 Oct 2021 00:22 UTC

I’m not using that code now. When using it for real I would generate a special key tab with a user that had no permissions to do anything or use the host key tab depending upon the application.

Our staff and a few users have TOTP set for their account, so it has to work for everything. Logins use sssd, with its pam. We have a service with source in the same repo that keeps credentials renewed and kills them when the users last session is gone. In case we need to kinit I have a script that gets an anonymous credential and passes it to kinit -T. I get the credential,from a service on the Kerberos server. It’s the same service that generates credentials for cron jobs . I could use kinit -n, but that creates a problem of distributing cents to all clients. The service is easier.

I don’t like key tabs for users because if someone manages to get a copy you have no way of knowing, and it can be used anywhere in the system. So if a user wants to use cron jobs that need credentials, they register with the service. At that point a Pam module used by cron can get a credential,for them. It’s not forwardsble, and is locked to that hosts IP. The primary use is so cron jobs can access files, since all our file systems are kerberized.

We are fully kerberized. But one implementation constraint was that it should be invisible to users, except if they run cron jobs. That requires more work than it ought to.

> On Oct 15, 2021, at 5:50 PM, Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
>
> 
>>
>> We use TOTP. That allows us to tack the token on the end of the
>> password. That makes it easy to fix programs that expect a simple
>> password prompt.
>>
>> In fact I have a wrapper that can be interposed around pretty much
>> anything use LD_PRELOAD.
>> [...]
>
> Well, that answers PART of my question. And I am guessing based on
> the README for that you use k5start to generate the FAST armor cache
> using the host key in the keytab? But this seems kind of RADIUS
> specific; do you use TOTP for people who just use kinit?
>
> --Ken

devel / comp.protocols.kerberos / Re: 2FA with krb5

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor