Message-ID:

"355/113 -- Not the famous irrational number PI, but an incredible simulation!"

devel / comp.protocols.kerberos / help with OTP

help with OTP

<mailman.61.1682372584.1964.kerberos@mit.edu>

https://www.rocksolidbbs.com/devel/article-flat.php?id=344&group=comp.protocols.kerberos#344

copy link Newsgroups: comp.protocols.kerberos

Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: mzagrabe@d.umn.edu (Matt Zagrabelny)
Newsgroups: comp.protocols.kerberos
Subject: help with OTP
Date: Mon, 24 Apr 2023 16:42:44 -0500
Organization: TNet Consulting
Lines: 80
Message-ID: <mailman.61.1682372584.1964.kerberos@mit.edu>
References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="3359"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos <kerberos@mit.edu>
Authentication-Results: mit.edu;
dmarc=pass (p=reject dis=none) header.from=d.umn.edu
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.15
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1682372582; cv=pass;
b=134LnFf0bazCREkjHukeXwlrWfN3Rae74wksRDv2bSIAAsH2aaca2AjEMcfpQv7s9qFSAiyy/dmpESgGe5ngBefHnnQB7ovhNreoUywjtLCd/VRkCOxP4dLp4i6jfP+XsLKo63P30wDZa6FlXVVW9JoyJFJFRFDLwOum3VxKk8UU6JJpfZkxwBxggDE21rn56Js3UCENrFiNlaKqmIUkI+exwNW8f7u9XdNdKEqHoNfTkLNjuhBaTb+iZ/3jFG1A4mr2Jb5HgDj4wRfIYPTeQaCpz2dSadKtiopdecDxOy/yVgOKYoBjr14F+f7MbIq/LMszb1bNsl0vnR0LblIBDQ==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1682372582;
c=relaxed/relaxed; bh=CzdGAWUYQVYgbfMTpFaZMit88IcgyW6KUV/8NGir3RI=;
h=DKIM-Signature:DKIM-Signature:MIME-Version:From:Date:Message-ID:
Subject:To;
b=V0gcEIxRZ5F8KcVgLIHXXS8qpjjDpL3z6NLJnYe2aVpXcAGqV0g5sZPnJhwFG34v5MY7G77CloFEQXYhM1gTxB+xOFG85Q0YOoKCBqCoVb8gPSJJzbl/4i/tqVseD3oXHMoQng1fwhqutRc6xiY4thzoB7nKmBYuh9oYMGThQ+BW6DfbwGxUKxiGA4I9hz+aeip/Wb/epuLCCpsavlSBw/SYxa0xgF8o0A+47Z8VU0CMv6MQbHWI55k/5R1oktYNrN/f9iJghKF4fhnt36EHzROWnjnhANw0f8i9nKUm+XLSr8Xw93XlxmjmStSA6/f8I5OzuqJ2wGcDfkqJl1CCcQ==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=YnyJ3NuI;
dkim=pass (2048-bit key) header.d=d.umn.edu header.i=@d.umn.edu
header.b=IRWtczsJ
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=YnyJ3NuI;
dkim=pass (2048-bit key) header.d=d.umn.edu header.i=@d.umn.edu
header.b=IRWtczsJ
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=CCCUegUg9yxNUO20kOX+wrcp2XZuN6pTUsAVjNE6BIRh25IK8ISrvhIsdSYdyzIZtw7BRSZ9V5agt7hElxYj7SHOP/1LMlafUuuchlOn72eVUTCyI/3OmkRcyoFAZ1juCObEVJuzbQ+01PV6ZZoXCf9tMMRQrow60Wcpec20931HHOer+ZAyQJG/liDBmW76P2SLKXQnOQCnivAD07EutXBCu2jrjRYZ4DruxUc795kYsV2J+Ip8m3PXmVzz85B5I1AF7B6Not/a3JceQhMQ3x8N2JIQDhI/NSCtLwHN8z7DzviUZeoIZJQjFMIuvBiprYuvB8pcn+iOaUvwSCN3Tw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=CzdGAWUYQVYgbfMTpFaZMit88IcgyW6KUV/8NGir3RI=;
b=NFbXdFuNkjM4jlQ/BdP1P7P+mkdovohMMKC7ZK5oNrMe+OCG7WoQJNlTviaCJO3svkf2WR0OKMaVZ7c/72VJLpEa/LgIkGLix8qID4W1lTPIZ2Op5yULqic3fYgKgFGV5du2s770U7v+oFp8wH4OJxUL0Bn8Lvt0908LCmJksKFWkf5y+XatYQX3ZYtpeEtjPIIS+gJtzumrNxAvJPcmUNofORTIbQi1febkMwQsB5RbL6oWkCwmLKA7G7Ba8PKWju5i2kUbSWzyfRnUEmzwCesBwIWVs7nbuzlAHZf30vviqwu3YWX9beoQaByoc0RcTKDYh7l12+BDkHIVNs2wKg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
134.84.196.207) smtp.rcpttodomain=mit.edu smtp.mailfrom=d.umn.edu; dmarc=pass
(p=reject sp=reject pct=100) action=none header.from=d.umn.edu; dkim=pass
(signature was verified) header.d=d.umn.edu; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=CzdGAWUYQVYgbfMTpFaZMit88IcgyW6KUV/8NGir3RI=;
b=YnyJ3NuIJvQFkjC3O1+CFgNhZdT8LT59KIjTR+RrlJ1XyQMzooEfzV9BwMXyPV90utGjplTfnkjPKEa3/bD1HHB6x6Xw6gaVxcbjxLru+LQuCiMRkMwhCpNXjy6P4mDYuvMW4yDwlDNKCQavnwyo8YY+MagkJ6Hy9//IxkXuVJ0=
Authentication-Results: spf=pass (sender IP is 134.84.196.207)
smtp.mailfrom=d.umn.edu; dkim=pass (signature was verified)
header.d=d.umn.edu;dmarc=pass action=none header.from=d.umn.edu;
Received-SPF: Pass (protection.outlook.com: domain of d.umn.edu designates
134.84.196.207 as permitted sender) receiver=protection.outlook.com;
client-ip=134.84.196.207; helo=mta-p7.oit.umn.edu; pr=C
X-Virus-Scanned: amavisd-new at umn.edu
DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p7.oit.umn.edu 4Q4zBn0GgKz9vZjY
DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p7.oit.umn.edu 4Q4zBn0GgKz9vZjY
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=d.umn.edu; s=google; t=1682372576; x=1684964576;
h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
:date:message-id:reply-to;
bh=CzdGAWUYQVYgbfMTpFaZMit88IcgyW6KUV/8NGir3RI=;
b=IRWtczsJWUimSxDrRrf1wlU90rg6fTIKUlESJPKjMglcYapUR+wrMW7YmRfOCesdH0
IbAH0c1qbtJRV1b2Bolko0E/cT6VJxqFpNcEV78U9Cls1LtmQw/UnU5aCvXwa0UYp4IA
vX77NvpwctUz/+nKVquHlxdnM75c2NDkCruLBPaE3htAURwrbkldTV1XFUzqEON7hudN
1PcUxHkvqd8Ug7U+iEiwetArpgPkEx36X3+Q4tGxGSB4vj6RVpQSWCBO6LXjgd9IXP0h
dT+fE5Uug1VSxO8uHcaZN8F4tODFGfLtyDtbMre+LLLcJ0uDgZWY9Irx2gtIyRuWXVNZ
gmLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1682372576; x=1684964576;
h=to:subject:message-id:date:from:mime-version:x-gm-message-state
:from:to:cc:subject:date:message-id:reply-to;
bh=CzdGAWUYQVYgbfMTpFaZMit88IcgyW6KUV/8NGir3RI=;
b=Vyo77aGhag13bQb7D9c4Z7yJV7pgq0mdbqrrY8JdZn9a83ZbwxhQ38HG1QUbqB+d3+
VlaUcCGHNiYAQHXmcj/BVo6Sj0irSXReSVgkeoSzWlpjn7aflMdKTsDcLG04FjQO2L0o
rNCMCsdEOZfGvNQdOCcf5TA3IDVwwXSPHkpza9egh2UhiL5ID6rvhOfsT8tk4JJG0See
F+gJiiY5RkMDDMTpLO4qV7ith9Z/X8CvZCoLaNPVbR/1AvZiKdKEKXTABVXEYQOAbxLp
/WPT0JjJSBohLhwPXXeAv4QCKZlQP6rxhT4xCsqvYk7mWLMhje/zJ+U2v1+JrQ2ls9+v
4ZPg==
X-Gm-Message-State: AAQBX9ddnXR0A92NXNZ4KksBxODMQAfG3NlrvaECU2b62oxqtehdZuow
pS6r79pGDCUfu3RYk+eU5vIJtN8XlyzCmex57GqIo+h4zoqOjmAZQDtWvp1/i2gJwxs0ASQvddw
h41THjhuWU2OQ94yvlG01C2cBxQxfxaIo9g0X9x8=
X-Received: by 2002:a17:90b:156:b0:246:fdcc:f84c with SMTP id
em22-20020a17090b015600b00246fdccf84cmr13781094pjb.35.1682372576001;
Mon, 24 Apr 2023 14:42:56 -0700 (PDT)
X-Google-Smtp-Source: AKy350a2N5tbiQBlqJEWJock2nY13X0sHfC4zBvhPm2m7GwqS953k8EKAcwT5hXl+fJMFLLFdDaqL0IpRtFNrbzQiBQ=
X-Received: by 2002:a17:90b:156:b0:246:fdcc:f84c with SMTP id
em22-20020a17090b015600b00246fdccf84cmr13781085pjb.35.1682372575645; Mon, 24
Apr 2023 14:42:55 -0700 (PDT)
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CO1NAM11FT011:EE_|BL0PR01MB4642:EE_
X-MS-Office365-Filtering-Correlation-Id: ee4c930d-8375-487a-2b79-08db450cde95
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: BSVOgKbuRRttzXuzBfpeo9u4+09A3FLeKRz3XushBTha4wd2mDzBrZCENVJHfx/IdNCT9Y7nVfsOTdJNWlnxY1e58qq4eRjgyUoBjjWQTvGOhplAx2m2/AaFb+wKvk3KcYN1KybE9gasgL31nwH1GOZP8sufXQ/OBSoVPKi75Q8H0VrLN3uL1zW4Jk9AKTqgWU0eY0M9vl8NLMlkJlbq/M27lcZ/QIqcWWRFkU4DswGefL4rFi/p19+R+fxFC6ACifed6XyelpGqj8gO0yvhBeq4pAukb+8tgQ7NWh7/Xm72NrZQ4FzVvtehs9nXJZqpvHYYdWqICypVBpNWH1x2/4+Ow9jXgscITl0E14j7zEyJVnt8odH6LrHhH/ZEtAW+WzhP+Er93A6mXS4bStbJ42fTDqVHCvojC57meXv2WfZ0J8C0y3vKY0+uwZD6hTpUV7PZ9YvqgyfPN82i1z820z6px9L2QVVWNCvrqAhRUiyOlRmQJCaFm+WP19lAcSTJsLYT5n+9UEl4rsS+2vJq5AxGCcEt086Uz400lf6QPxBe8/fxknZiHuDqW4Tj/vbhpCWYe02ckGtdtXCPYSgLgbDpRjVB6Z/cruN/SiRjJh0=
X-Forefront-Antispam-Report: CIP:134.84.196.207; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mta-p7.oit.umn.edu; PTR:mta-p7.oit.umn.edu; CAT:NONE;
SFS:(13230028)(4636009)(136003)(346002)(39860400002)(376002)(396003)(451199021)(42186006)(498600001)(316002)(786003)(70586007)(68406010)(7116003)(7596003)(356005)(6862004)(2906002)(8676002)(75432002)(5660300002)(336012)(3480700007)(966005)(9686003)(26005)(86362001)(55446002)(6666004)(83380400001);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Apr 2023 21:42:57.8049 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: ee4c930d-8375-487a-2b79-08db450cde95
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT011.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR01MB4642
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>

by: Matt Zagrabelny - Mon, 24 Apr 2023 21:42 UTC

Greetings Kerberos folks,

I am attempting to understand a bit more of the OTP support in MIT's
Kerberos implementation.

I'm running Debian stable:

ii krb5-kdc 1.18.3-6+deb11u3

I'm looking at the docs at:

https://web.mit.edu/kerberos/krb5-1.13/doc/admin/conf_files/kdc_conf.html#otp

The docs say about the "secret":

---<cut>---
This tag indicates a filename (which may be relative to
LOCALSTATEDIR/krb5kdc) containing the secret used to encrypt the
RADIUS packets. The secret should appear in the first line of the file
by itself; leading and trailing whitespace on the line will be
removed. If the value of server is a Unix domain socket address, this
tag is optional, and an empty secret will be used if it is not
specified. Otherwise, this tag is required.
---<cut>---

which seems to indicate that the secret should be a path to a file.

The example:

---<cut>---
[otp]
MyRemoteTokenType = {
server = radius.mydomain.com:1812
secret = SEmfiajf42$
timeout = 15
retries = 5
strip_realm = true
}
---<cut>---

make it look like you can put the secret directly into the
configuration file. There seems to be a little bit of disconnect
between those two parts of the docs. I just wanted to point it out if
it is helpful.

I've tried to configure my kdc.conf with the required otp stanzas:

[otp]
MyRemoteTokenType = {
server = radius.mydomain.com
secret = super_secret_with_radiusd
timeout = 15
retries = 5
strip_realm = true
}

and I've set the otp string for my principal:

kadmin.local: set_string bob@MYDOMAIN.COM otp
[{"type":"MyRemoteTokenType ","username":"bob"}]
Attribute set for principal "bob@MYDOMAIN.COM".

When I kinit, I don't see any traffic go to the radius server (neither
in the kdc logs, nor in the radiusd logs) and type my password for
kerberos, which is different than my radius password, and I get the
TGT:

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: bob@MYDOMAIN.COM

Valid starting Expires Service principal
04/24/2023 16:17:02 04/25/2023 02:17:02 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 04/25/2023 16:16:50

Any ideas what I am missing, or what steps I could take to debug this further?

Thanks for the help!

-m