Message-ID:

All language designers are arrogant. Goes with the territory... -- Larry Wall

devel / comp.protocols.kerberos / Re: help with OTP

Re: help with OTP

<mailman.62.1682375130.1964.kerberos@mit.edu>

https://www.rocksolidbbs.com/devel/article-flat.php?id=345&group=comp.protocols.kerberos#345

copy link Newsgroups: comp.protocols.kerberos

Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: kenh@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: help with OTP
Date: Mon, 24 Apr 2023 18:25:19 -0400
Organization: TNet Consulting
Lines: 37
Message-ID: <mailman.62.1682375130.1964.kerberos@mit.edu>
References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="17853"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos <kerberos@mit.edu>
To: Matt Zagrabelny <mzagrabe@d.umn.edu>
Authentication-Results: mit.edu; dmarc=pass (p=reject dis=none)
header.from=cmf.nrl.navy.mil
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.9.3.17
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1682375127; cv=pass;
b=L7Tpv4Xz28G+jfIjScTTGi5QomCWgU0qQR780Pshjkvr8t1foKiutQji995r/r2lFQC+J/eJ4Uoq9N1BveTQqt0ZXFtmTa8C5lPQoK1emLdjFRkZ+/x7rjkG1fRU6XregsOKFCwZNC+C4ZO4ktQphtSI4i6C9JJTPi7op0bDyrENG3jtACOaLRofKi7JiHsh+i0+5jY1HgtvHFqxCq94A9dYogBiUIcfppEy/X/RsJCLrMGIWHixhfapLAW3F0ppqOh5ZGy652oxVIe4+2fJtgkEWBNjjHCycc9blPTdAJOH//qSHhTgPpOZsH7RTYoQUvL096D8yRgqA2r9mMfkLQ==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1682375127;
c=relaxed/relaxed; bh=0wB1vo3ffER+jUrp6Y1VUKAGbXUIAYlMNlmQYYNK75s=;
h=DKIM-Signature:DKIM-Signature:Message-ID:From:To:Subject:
MIME-Version:Date;
b=CaaPosS0tMBRyhHNIwbTjh2H4zzYgKe0VW/nomiLTF0m0pd4c9NDI0mUFMkWRaERuOXuAUyCqJl9Kx8JK+ZAeHX/lwvek/e5nLifhZYHlaAAMDVC/jRytMJVarkYW8sCf4x5jxR1EO1+1kdjaoXC/Ih4Hw4c7BqVyOh46lrZoPZtzNAdxxgZpyqrbrBwTYYIgX5xaYqes0mOKazdZcCCOGYjT1jrcO0lm5i8M7Et0t3lqYQ/FA1vtuOGeAXLx/YKPhuyJEtbBh2b5PxCxkx5OwglzOzKO4lPBkGSR7ky0y9bpjn4FbM097pS7+te4NL66itP4OTKNg8JDh12IyTyFA==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=TbUunOe2;
dkim=pass (2048-bit key) header.d=nrl.navy.mil header.i=@nrl.navy.mil
header.b=qIZJb3cb
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=TbUunOe2;
dkim=pass (2048-bit key) header.d=nrl.navy.mil header.i=@nrl.navy.mil
header.b=qIZJb3cb
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=RaLOSMxNe3vK84LqOA4wH9x9Uo/ytaU2eV2NIRJAXdV4PyiTYvByRA2i8NOecCj57+uu2X5qasgPuMZ8zTveORMdFLLyliKE5X3PtB6ucqcetGb7XoEdEIXIaTIR6QDUZiq/N6vweuGNYxylMXNy7+DYtftsv68ChLaSs3WBPAAC3xSPohj9qixTfDkyHzMOJ7A2wTHK2p9xLrGoAf8+pkrj7J2zARK+txkB3u/YIzixsLz7VtynPAulZso4rtFr9n1QqAy02/z4f4Tgg55C9MRA/y7VOHndyC2DhFYII+gZ2vfleWHA3K43xnGx/ebKXBu2XgKWk6fdTyqiw1EPkQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=0wB1vo3ffER+jUrp6Y1VUKAGbXUIAYlMNlmQYYNK75s=;
b=fkdzWuQqSIXvh/4Zes4i8tLMwroBg8ykvMYB7HIb+VYn+mdAgaYdFs4VPOkN4Cam0XPDHvJwHLEaKIS77itDDqO7N3fEKLK0fvW8S84rzbps3D3hGg8IqYjzDZnKzfgoP6aesjShEcobbA3Cz0mYa6wW8HIXfBZz+BX01qLjs+dbYEz5S20aj7wIm4h2M2sEgASPstblUu5/hY5rxdtTnjRFUyibWiaYti+iUwi+oa5jkWuJzMzizdJ/VH8vqnshSLycwyDo9gJWc3Nxz5raSgVSAsehm8LK8eOvze/ZtWUKXI+3QbnuSQ03YtoN/cDY0zDQ6pjiU3UsREaDvlMS3A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.59.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=0wB1vo3ffER+jUrp6Y1VUKAGbXUIAYlMNlmQYYNK75s=;
b=TbUunOe2s5fDH8cw3WqWKPB1LkA3sM2xUHkYJglIoX1ypI+yR6v8fAY0TOzZMok+obF9dDNbSP+gDB1bcZWTVrUMco3nboU+4iICBb5tF9LQVr+DngokGdv71lfUQWxsyO/i49dVtTQWfXUaQRamk51CqNfgL6k2YHOoXvumw7g=
Authentication-Results: spf=pass (sender IP is 140.32.59.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.59.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.59.234; helo=mf.dren.mil;
pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version : content-type
: date; s=s2.dkim; bh=0wB1vo3ffER+jUrp6Y1VUKAGbXUIAYlMNlmQYYNK75s=;
b=qIZJb3cbqdwPdfNesKr0Oa4N2x8Wpf4SL9qQn+CsmIwTp6Zdd/jYxLXaI4tB7XdyHJ2m
n8/qUCXcDor37jlNCkaSmZuVdoJXQvsHS2Wm/CCFgmaGQeSFIJeOlybLF+ylI0XRMgHq
rLne4sT99VuwlcfrQKP72Aq2zZLH0pNBOEPsBW9Cjiv+u7GjIdMWYobMkPraTpvaqZRQ
UqbIRI5+39FZyusiMxcopafyq5cDR/VwtuWOTByyhF0fd9jmtNQHOoud/v0ksWjL+8DY
Xkxxf3GN9Y8bIRG13hfqKMOd60gK6Izrxr3bPLg4UaDVMJpJmNMzfKKlnp8EJY+JByip jw==
In-Reply-To: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned:
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CO1NAM11FT046:EE_|SA1PR01MB7247:EE_
X-MS-Office365-Filtering-Correlation-Id: d91aa040-7f16-4dca-87f6-08db4512cc89
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: fXLiADgfC8sUgneNEYOMmagjqT56UGR0Macc/swRBeUgyK72yi+WU7+QrSk8w6GG6mVW3oaTtPCeI8dMuc18a15NlA/A2D7cfc3SrZ3VLZiqwzA/MAAcwVh6BfiEPDPv8/8cspQDe2cnXDy6KPG9woHkH6MJIhCenXyj8YADUvMR1sWBYv36DgvB+mMR8DKIbNKTrBDMQ5zOEdVSUTnya9ulqwskWte1rzU5dNXLYSGu1koKEhuML/79G9UE1QDADuRrAwPCyVVJKWVDom8rzWcZKcx3El2dh2YZjBeayxmyfO1C9v4OQDyqGcSYYnHCWZ3U3ZBP0bdxHZ9JMTH+Rt3VcpjVZuXE7mH6oMpq9qdG9Ld59scs7/z03bj0+v/9Mc21jROdKp6b7fCm0n2TBJNa7WlrEVQDktSg17IGP1Ou8wvw3nTqQi3os2PorRAfK/Br5C1bJUMXUIUe59N/HifkFtdpTqrx3gzL/5beKCIQg4Q2rOt02sToVb33fSYDzQjoCF4qKck+CQ0CXuKTwzrQ5G8iA+pprbQkB1cKlLIyzIg6vLDXGMblQMADOk3yPpGBOGfx1nkHd5E+4z7A7nT75cMrtDSMrcb/F9cuQR0=
X-Forefront-Antispam-Report: CIP:140.32.59.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfe.dren.mil; CAT:NONE;
SFS:(13230028)(4636009)(396003)(39860400002)(376002)(346002)(136003)(451199021)(5660300002)(7116003)(8676002)(6862004)(83380400001)(3480700007)(26005)(1076003)(336012)(426003)(86362001)(356005)(7636003)(956004)(4326008)(316002)(786003)(68406010)(70586007)(498600001)(2906002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Apr 2023 22:25:24.4162 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: d91aa040-7f16-4dca-87f6-08db4512cc89
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT046.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR01MB7247
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>

by: Ken Hornstein - Mon, 24 Apr 2023 22:25 UTC

>make it look like you can put the secret directly into the
>configuration file. There seems to be a little bit of disconnect
>between those two parts of the docs. I just wanted to point it out if
>it is helpful.

It looks like (according to the source code) it has to have that as
a filename.

>I've tried to configure my kdc.conf with the required otp stanzas:

Well, it's a preauthentication mechanism, so FIRST you have to make sure
your principal is configured to require preauthentication. And there
is a note at the bottom of that page that suggests you need to be using
FAST which implies you need to set up a FAST credential cache. And
I will be the first person to confess that I've always been a little
hazy on how exactly that works! (We do use an OTP preauthentication
mechanism but it predates the newer OTP mechanism you're using). I am
not aware of any extant documentation that explains how you're supposed
to use FAST in practice, which I always found a bit odd. I wasn't
involved with Kerberos protocol development when FAST was designed but I
remember a lot of messages about it, but it seems like there's a giant
hole on how exactly you're supposed to use it when it comes down to the
nuts and bolts. If there is some documentation about it, hey, I'd love
to read it! One of my long-term plans is to migrate our weird stuff to
something based on OTP which would involve FAST and I sure hope that's
actually possible in practice (I am aware that without an available
local keytab you'd have to do anonymous PKINIT and that wouldn't be too
bad for us since we already have all of the certificate stuff deployed
for PKINIT with Kerberos, but if you DIDN'T already have everything set
up for PKINIT it would be about as much fun as a punch in the face from
John Cena).

My guess is you could use kinit -k to get a TGT based on a keytab on the
host and then give THAT credential cache you create to the kinit command
using the -T option. Again, that's just a guess.

--Ken