Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

Facts are stubborn, but statistics are more pliable.

devel / comp.protocols.kerberos / Re: help with OTP

SubjectAuthor
o Re: help with OTPMatt Zagrabelny

1
Re: help with OTP

<mailman.63.1682440749.1964.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=346&group=comp.protocols.kerberos#346

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!3.eu.feeder.erje.net!1.us.feeder.erje.net!feeder.erje.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: mzagrabe@d.umn.edu (Matt Zagrabelny)
Newsgroups: comp.protocols.kerberos
Subject: Re: help with OTP
Date: Tue, 25 Apr 2023 11:38:11 -0500
Organization: TNet Consulting
Lines: 79
Message-ID: <mailman.63.1682440749.1964.kerberos@mit.edu>
References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="14693"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos <kerberos@mit.edu>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Authentication-Results: mit.edu;
dmarc=pass (p=reject dis=none) header.from=d.umn.edu
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.9.3.17
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1682440746; cv=pass;
b=JZ75vWu0zumA9JMEikwvQrYbtoM4cbVxZvQUx2b+CBlMk/Jo6ma1xbUtQvX6t/MVOpLy7xuacvbEHGwbT5qcY3fSrrSpYYsrdHxwoL47TG7n+yxrXz2MQ9aY+fms9N2HhSOJY4/rJJqcajkGLtW9zt36Tg22xMwmzbaK/W94Lz09lAt6px0yRRO+YOji3Mcsc8nRFwrk02NMvS2YMI7xUMlojPpFTGqPNnOkdzG+KuBOZxKxwRUzcmWIfnEh114joHuAgzzFbwLu+tRNCe5JioPItccOvDTDRFYzQCkh7UdbuvVP8zO0oJbDA8zzYhz9Uf4+Cm82VhUpqYV735lOiA==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1682440746;
c=relaxed/relaxed; bh=ZhpLslH/5UU7yJKfbP8mcnQ35GcbgaFycQli9sceerI=;
h=DKIM-Signature:DKIM-Signature:MIME-Version:From:Date:Message-ID:
Subject:To;
b=spAbzFSvyIWgcgaF6cMSTorauWIg06R+eEuw8lNtVLu8pvAcTQmVht5933Sqk36JfbIQKwfP3QV51jP/Ml4Hs/Ax9hj5d1pfzI4R35hC1b13n0N0RMyfKkwOEv5jMKJZFFwHas3yzl1j7h1aVieRw+sDpby2D2tNqaYkVu8leoh2YHRETFsegwzDD4nSPmz1ghaeblYDAXLZ2LgDcidyjAua0IQyWCOBtAWlCxJrZkFR0mYJQ65o977JuDiV0fDNj1YOQBRooPwucGkXsz1DNpfhNXl9dY/vCoNHaLEzvVRt8PAZLmW7b0meHdc9ZfRJG1ip5//xCBCKUnMPNqzm1A==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=sjcUp096;
dkim=pass (2048-bit key) header.d=d.umn.edu header.i=@d.umn.edu
header.b=PYMt7m2S
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=sjcUp096;
dkim=pass (2048-bit key) header.d=d.umn.edu header.i=@d.umn.edu
header.b=PYMt7m2S
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=BwlJYHkxjrLjaD1nmljbQqqdlpUHcZEpFybNLaumQsEF0JZhbHyZU8RwtfOoSpNwMNrHk30Yq6fDaTd3Mak75zmseaIr/1mFq+EWVWtNYng/JaXIwNvxpa9KY0AuNdPHJozEF4xpnzdwJHbqHwg7OgdopGepWJt3v28NxJ7UZT7UZ9okSCOYWuTdZzo4/ve9XicwWG0oU7Sx5NLUhgotdy84uEkTTNlr69yAe08hbqBd3oIquuleuk0GNpetNtSEV/WK3cUI/tPczol962I0wuJt08uIVNM9A/V+YAmy8WdzZ31QNCErTauTpaGSKo9iGMcdOaIOJ4fsaRCENf0HXQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=ZhpLslH/5UU7yJKfbP8mcnQ35GcbgaFycQli9sceerI=;
b=GHFPl3AAmsOB/I/xDaRPU3lYvYrCDtoDI4VXVNNX89opcwE1z444L4D2fRG1w7iucxn4VE3c7j7jeT0z72aIF3SbmCuahkWEouiN8YHWNrraDL52z+0ubviH0DT+Wbb+51YpsPhrO8QuChlOdDpEwoXfHU7sZG+74kV3eMBPiqpYWseqz0V7BAOcitTCpbr0rQWuf9RkNaI3Qx1itxu3ky83cybVzdtN64jFlh3bALXvJZbw2Rz66/tkbckcJhwelijnlCspDmw8cGMrJaPcsbO6ecrux9S8vT1+HfVjG3tgB/4eFipSEGLw/OWtW5KmOR7EVQBCkBQdhQU7GAZADA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
134.84.196.205) smtp.rcpttodomain=mit.edu smtp.mailfrom=d.umn.edu; dmarc=pass
(p=reject sp=reject pct=100) action=none header.from=d.umn.edu; dkim=pass
(signature was verified) header.d=d.umn.edu; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=ZhpLslH/5UU7yJKfbP8mcnQ35GcbgaFycQli9sceerI=;
b=sjcUp096yaO8RGtYbSKxWNnxNqHPeAEgnBgxk+9otfsY6ybHtmls/sq1V1NKT6Fi/xudypMPu8DzMT9Dmbyv4lDtSpH7y6EYpeTT8/M4HGz/0VLQsdh1t18YqhKAJj/iwBbWZliByoXJ2Aa4713VJVW9nYQ8BQh9tbsPSySWpso=
Authentication-Results: spf=pass (sender IP is 134.84.196.205)
smtp.mailfrom=d.umn.edu; dkim=pass (signature was verified)
header.d=d.umn.edu;dmarc=pass action=none header.from=d.umn.edu;
Received-SPF: Pass (protection.outlook.com: domain of d.umn.edu designates
134.84.196.205 as permitted sender) receiver=protection.outlook.com;
client-ip=134.84.196.205; helo=mta-p5.oit.umn.edu; pr=C
X-Virus-Scanned: amavisd-new at umn.edu
DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p5.oit.umn.edu 4Q5SNw4TNkz9vKZj
DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p5.oit.umn.edu 4Q5SNw4TNkz9vKZj
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=d.umn.edu; s=google; t=1682440703; x=1685032703;
h=content-transfer-encoding:cc:to:subject:message-id:date:from
:in-reply-to:references:mime-version:from:to:cc:subject:date
:message-id:reply-to;
bh=ZhpLslH/5UU7yJKfbP8mcnQ35GcbgaFycQli9sceerI=;
b=PYMt7m2StRtBMg+W/E0Qt9s86NatzCj3fzD2f4/PYVaE6GtFfJsXXzzNR4GVzhlhmD
egAWDkwbYMHETI2HfbiHA8KAx91KXjhGm36RVWu9kMwi+971DIIzOzA78cKLTuUAzivB
xHfG/ZZf5JIhlDI2jvVVCmiKcTFNXQCs1dVwPcY1JKQYoLoFwytM+Nws+szoiEFKuStH
EAhAe0d26HS/Mjqx0KOpVALmefHovtse3gr3lLH95Qv58v7t5EKTIuNLvhd+9beg33rS
2ndsUl0Ahm4LdGEVe5jyhE4JgzPc7knRdyM/bZOk+75PWOpKTdHdmXuuQgsbfpblA8cD
AdBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1682440703; x=1685032703;
h=content-transfer-encoding:cc:to:subject:message-id:date:from
:in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=ZhpLslH/5UU7yJKfbP8mcnQ35GcbgaFycQli9sceerI=;
b=NjDhfX7e7dfD0kd0ey755Gs8Rp2bb/uwjbHk0XD39oLZ16KAeOZP/8Gwlg1Td68BDX
8emlGt99d/CAOczeteskOyHBNUESKcTSTZ/vgpcZZZkfXLg4cQMeHfwzUgKgaRCdCS2E
wFCMXeGcpoe2rhxcXbaWsqNrfmW4+HKSqp0hHrv/EQiNcVZ/jo6l8jtqMRDJIPWH7NxO
cr8RsuamZSOHY1LbGH9r1XeAUrgzmsCeXaPUuSeNxY1CEFnJRkC5OyGwBRQGmSgztzKn
8L66loROl7oV8KBsXceAL6kmt1c8jvPN4/bEEy905/z3LZ6QMurr9DPPmpLRoL+hxsco
Mahw==
X-Gm-Message-State: AAQBX9edtTFmkf91FcrCiSF9KuneVi9f85JFne1kLaqHTBaLSggEOyGo
SqQvwBAMPfogNmylGYI+ff0aLQSP62SRnp8d/XDZSVOe+HuMrK0TUWkpOPTvEtiu0pOljyf91aC
dGqzfTAfi6fQcObWpKA1TtZUc/bdi24ar2kWl
X-Received: by 2002:a17:90a:f68c:b0:246:fdde:b25d with SMTP id
cl12-20020a17090af68c00b00246fddeb25dmr17228127pjb.47.1682440703356;
Tue, 25 Apr 2023 09:38:23 -0700 (PDT)
X-Google-Smtp-Source: AKy350bvaT+ldFgT9sJ8dRZMLPmqryb6rZhWxVnp1P4zxuXwHdrFyBZov2Q3zN15RNQTETwOP/okgPFvxCqaXEhzKGs=
X-Received: by 2002:a17:90a:f68c:b0:246:fdde:b25d with SMTP id
cl12-20020a17090af68c00b00246fddeb25dmr17228114pjb.47.1682440702981; Tue, 25
Apr 2023 09:38:22 -0700 (PDT)
In-Reply-To: <202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CO1NAM11FT014:EE_|DM5PR01MB2586:EE_
X-MS-Office365-Filtering-Correlation-Id: 510667d2-5174-4225-2794-08db45ab7dc3
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 88fN4AakSz8Zhw3eCPSP/bxj3Q3QbH9Hb34ZwF9sWpbV3+7T+KzXBeil/5mVWYuo5GWDeQR5Pza7idTxN3tVy5w+9WAn/j6p2IrCZA4SvCprncACacHvFnA3I2gFbcCs1zQwHVFM4r8nGh7s3rhCu3bKOTtrKIn1mIFfhHj0ZUb6mK0ZvrLwNECHf2bTvdkw8JMv2DecJYWxGQfsPJkhIpYktIzO1fP7D1u6eWXlQlXztzb5WUBct3ZBzA/BtDzSzf7AeQvGRMJl4rgLCV/Gn6qDkkh92C8XcDu/fPY9e+CwlbGut4sBBW0jPm3KN0bcUEPVuLbcsXgRbgKb2I14UAb7jOQ/0aYYkiM0L5VH8bWPs13MdJwFvgZVao/LEnrvaz4iDYYTcF8zO2ow7E0lB58EVRznHw7Q+hOHMBmgP8m4Rq8bpOcFc1zfEOp16opdJmN/l3L2fG1N33C6c+VnwxADho+wt6vtbBJzqNiQfIKsMsWeM05nr1YKcrlUlFROGYW4YQs6Q4HMPX4QyTWJC3tyHsFy954QdATCswlg4PQP43uC4KWgYdArY73owHuTLiG7GdAFYwnvDZaZOSyt8L6le9LauciE2SdBKamO9uc=
X-Forefront-Antispam-Report: CIP:134.84.196.205; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mta-p5.oit.umn.edu; PTR:mta-p5.oit.umn.edu; CAT:NONE;
SFS:(13230028)(4636009)(346002)(396003)(136003)(39860400002)(376002)(451199021)(75432002)(7596003)(356005)(5660300002)(7116003)(2906002)(86362001)(316002)(786003)(6862004)(8676002)(55446002)(70586007)(4326008)(966005)(3480700007)(336012)(68406010)(83380400001)(53546011)(26005)(9686003)(498600001)(6666004)(42186006);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Apr 2023 16:38:25.3473 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 510667d2-5174-4225-2794-08db45ab7dc3
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT014.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR01MB2586
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MIME-Autoconverted: from quoted-printable to 8bit by mailman.mit.edu id
33PGd66i3269290
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
X-Mailman-Original-References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
 by: Matt Zagrabelny - Tue, 25 Apr 2023 16:38 UTC

Hi Ken!

On Mon, Apr 24, 2023 at 5:25 PM Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
>
> >make it look like you can put the secret directly into the
> >configuration file. There seems to be a little bit of disconnect
> >between those two parts of the docs. I just wanted to point it out if
> >it is helpful.
>
> It looks like (according to the source code) it has to have that as
> a filename.

Thanks for source diving and confirming how to use that config directive.

> >I've tried to configure my kdc.conf with the required otp stanzas:
>
> Well, it's a preauthentication mechanism, so FIRST you have to make sure
> your principal is configured to require preauthentication.

Sure. I just did that:

kadmin.local: modify_principal +requires_preauth bob@MYDOMAIN.COM
Principal "bob@MYDOMAIN.COM" modified.

I've searched the docs and didn't find anything, but... I don't
suppose there is a config item for the KDC to require preauth for
"user" principals?

And there
> is a note at the bottom of that page that suggests you need to be using
> FAST which implies you need to set up a FAST credential cache.

I've done some searching and found:

https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html

....but no mention of FAST.

And
> I will be the first person to confess that I've always been a little
> hazy on how exactly that works! (We do use an OTP preauthentication
> mechanism but it predates the newer OTP mechanism you're using). I am
> not aware of any extant documentation that explains how you're supposed
> to use FAST in practice, which I always found a bit odd.

I haven't found any documentation about configuring the KDC to use FAST.

I wasn't
> involved with Kerberos protocol development when FAST was designed but I
> remember a lot of messages about it, but it seems like there's a giant
> hole on how exactly you're supposed to use it when it comes down to the
> nuts and bolts. If there is some documentation about it, hey, I'd love
> to read it!

Ditto.

One of my long-term plans is to migrate our weird stuff to
> something based on OTP which would involve FAST and I sure hope that's
> actually possible in practice (I am aware that without an available
> local keytab you'd have to do anonymous PKINIT and that wouldn't be too
> bad for us since we already have all of the certificate stuff deployed
> for PKINIT with Kerberos, but if you DIDN'T already have everything set
> up for PKINIT it would be about as much fun as a punch in the face from
> John Cena).
>
> My guess is you could use kinit -k to get a TGT based on a keytab on the
> host and then give THAT credential cache you create to the kinit command
> using the -T option. Again, that's just a guess.

Yeah... I'm unsure how this all plumbs together.

Thanks for the reply. Maybe someone else, with FAST experience (?),
will chime in.

Cheers,

-m

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor