Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

"The geeks shall inherit the earth." -- Karl Lehenbauer

devel / comp.protocols.kerberos / Re: help with OTP

SubjectAuthor
o Re: help with OTPBuzzSaw Code

1
Re: help with OTP

<mailman.64.1682447615.1964.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=347&group=comp.protocols.kerberos#347

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: buzzsaw.code@gmail.com (BuzzSaw Code)
Newsgroups: comp.protocols.kerberos
Subject: Re: help with OTP
Date: Tue, 25 Apr 2023 14:32:56 -0400
Organization: TNet Consulting
Lines: 130
Message-ID: <mailman.64.1682447615.1964.kerberos@mit.edu>
References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="25842"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos <kerberos@mit.edu>
To: Matt Zagrabelny <mzagrabe@d.umn.edu>
Authentication-Results: mit.edu;
dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.16
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1682447613; cv=pass;
b=lvxPDf3C7xiK7cwHM5fwxCMZfTuC8KBdSW/VJBQRZG0AGZyQXNrPRmMMFZzNjV3CotQuHVyYuOes1X+k5ZeUykQ1sICVaFz648Mx4X9QdshBmE182EYJTxlmLf9ZcICeR5mhMfKHTWC8JUfZ3xzBfSrhkutakwv6BZ16fLgQh3mG4q1/HUopYF5q0z45TN0fpSF5mWRRhC4eKOc8zSMQ+yVG055bSGUNEe6XsLiULlSo3iZtRSyoQCxnXhEyllGcAvIAgtpQUbAnpfJcZsapSGCI4Kb1ASq1521Gxcs3f4vBtv759MPlH4GjPSbe9a/GCRr/pEQdfAgT2YgIJPAQ0w==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1682447613;
c=relaxed/relaxed; bh=BhDymDGmBkIDHaR1/Tq4INIhiGRhrQKUVFj/yuThd+Y=;
h=DKIM-Signature:DKIM-Signature:MIME-Version:From:Date:Message-ID:
Subject:To;
b=FInc9+JIr4K8y3So1jeyETF385lO43yN++DDcOoj06wLptcXlJ0BC1KhgLw/5D15dFmSsIqUfVTMdkzV84G2o4m3GIDJg1l9JvUCm1Jbq05CrIinR/EMVMn6ZgTpKT8ipq1mh9BCWB5gKbu2Qpj0OInbVgQkDd1gm0Ot/oETL2OgdmP6RDxNPwqe1KwCObKcYe+3Duc3hpivr4b1iJG743gfHL06gsXfqKuGGtwxbyZ1O4txAzcqijy5NaDoqJqlXdsmtvPvw/qMhm/FvMHMTDnN//x5XyxtuOs494xoFjPjh9Uek3LfAJDKJ1YtJU33bikexirdUE2EI53bQmEzcA==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=spew3U/V;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b=V96X0wWo
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=spew3U/V;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b=V96X0wWo
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=KpqrXBg4dVjpfT41sWWKcL/yymdl3uaGvO4YCGvQPsC+Oe7OKMJSbXpgADpNzTvJSGJKTshJaM2+KRbjj4L0uR8bR2m91tdaYYu0HzQEIlkCGYKkc5YnH0K9Zsqd4uBlzYg0XzJPE426K5NR3OdLx4HZc05CIkxxvPEutOb4qG/bPezTqROscvUqtcVFvY6z1DzFAVocR1cCvkW1rnVA5D+iIyzhtPOfFPZIoWK6Tu717GxcuCuhh92y8R45wP7KldaQSqHW+2MotwK3AUDn5y+R2llwGLLM1fPBIZFfYVNMS9J14CLyGrz4/fQGJpW1rjCAfjzYVP5qIGq2TYAWgQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=BhDymDGmBkIDHaR1/Tq4INIhiGRhrQKUVFj/yuThd+Y=;
b=L3Ful/TQq4dvWgB9tSgpGedini40z/AdNKxxmBKteu/7SqIWW/dtAc6JqhBkZMWbtikmIs+LBd8Sxj9PNTFjCEvRRXaT+CGreIyRXq2oOFNvveJB8unLdJoq6r+kTmBwO6L/vYH56rqSNiANE66pgg0pU6kmLD6KE3VlYmZTiH1/Uasd09JKP8jl9sM7TiRvFzJlPuHEbdIP/nTUeEn/3FmjbTBEO9kK5IUxk2+qZnm6Pl7ZHCWEBuplDSMem2kEwQ+VmtOAFG3AGB8J92wBlNMGbf4IcNfEwrKQ9WPpvOjmINkWUSGejYZ2Bv+TwOdZATummEOzMcyONw9h9Z5bjw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.210.170) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass
(p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass
(signature was verified) header.d=gmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=BhDymDGmBkIDHaR1/Tq4INIhiGRhrQKUVFj/yuThd+Y=;
b=spew3U/VJ5zjupTa3oasfuMNjigRSyEssHyEyQwQSibPKMm4FcDN/kgVr2wcRd0RSqtJCNcLJ3DkhpnM6Nni3w7YI3QxqqD8wFe+Y4vm7WD9dklPpEv9SNpW/bps8Ju4n9eGR+ItuZh5sBvdmWkEzp6tSLOL3Xn+HYrESu5qsoc=
Authentication-Results: spf=pass (sender IP is 209.85.210.170)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.210.170 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.210.170; helo=mail-pf1-f170.google.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20221208; t=1682447588; x=1685039588;
h=content-transfer-encoding:cc:to:subject:message-id:date:from
:in-reply-to:references:mime-version:from:to:cc:subject:date
:message-id:reply-to;
bh=BhDymDGmBkIDHaR1/Tq4INIhiGRhrQKUVFj/yuThd+Y=;
b=V96X0wWovfYC5qMAeOvnpHHENlx2XoPDtrkFObax9mPotuFC4jlmxMfEw1/MGuxdjD
/1WTXXUY4T8jKkguujgNNevNsjcPpug4Tpc3EPUPcOPZjipla/OYF97N8Qd8rGtxrqeG
FDq3O+6ha8IcZzEELGIbZcdutWXE0kSCOHKrtgTfehzUE+9Tw2q3d20zSnqIKw/HPiVz
7p/ajrqPLi+ag7hAC96bB/dsNtAIIlh/aYfG9vQkpGs/cnpg+L1AhSfuWKdsp1ZzSrM0
x+7oiGSGmwRzQo/ZvsjAejhQG/ELOYDGbR9v/UqWIkwfXmu2w028RIvi1meQMNrPTOh4
6e7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1682447588; x=1685039588;
h=content-transfer-encoding:cc:to:subject:message-id:date:from
:in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=BhDymDGmBkIDHaR1/Tq4INIhiGRhrQKUVFj/yuThd+Y=;
b=J5fC549NLBxsE9jKt8NWLEBH+dD0xjOq6e08sIwWYDwmYEFmHQwvKG9svvxfVeyAu3
J7GoItr3ez9WIg/hWnE3q7YJw96haihYCm5dvOvQj+OVkZYXfx8bZJxDQrihgri3lNJl
MFuTmJuxi7vWOgQXxTKDJ5xR7sC9Ss+TY/ESlNr/rW91heJosrYb+rFIZL2UW68XzGah
8NF8LKNalA+46oY19ablO3CIEl/Mjvkjw8BEcQC9MAXfP4msAtaw598GTFz3d/lHlcwD
oLhIlsO825bmc+RvCQ6da02Vr3YUe9QX0Z5OSiNa983r0jchSRiqsbDUtm91WlFIqrOH
F/AQ==
X-Gm-Message-State: AAQBX9fgeRpGUNZK57USyNT2pcMMHXZXe+0KcmvxH50etO9DF8B5xZT5
6r7RpnYVyORAv1sNVvv3Jp3WostQfSt6Ox6Bfj5Y/1iCzAY=
X-Google-Smtp-Source: AKy350a8+Z5zNhNk+eVTrzU4GP4WrQVXgDpcpPas/47c9FEZcIKL8/bh14RPAB8D9U3RuHXsb43l5bO5pAXkl0W1X0M=
X-Received: by 2002:a05:6a20:4394:b0:f0:2501:349b with SMTP id
i20-20020a056a20439400b000f02501349bmr21173841pzl.25.1682447588125; Tue, 25
Apr 2023 11:33:08 -0700 (PDT)
In-Reply-To: <CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DM6NAM11FT105:EE_|DM5PR01MB3260:EE_
X-MS-Office365-Filtering-Correlation-Id: f6530a19-5a3d-416d-3161-08db45bb84be
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Cv/lTVNnjBtgVS44bFHwW8RSrYzsAVFCSeUSDn+5DuIWIcY+QVhTObbISRicv8cTDxJS5E2DUTA4uUaieG+xOszWFLl6DoADI5CLqwQmlgPd5nWrrHGFoPAROb9WECvAE1xax8XZKgObqyWOnCK8+Q+QoRjwx1ElWeaTEJnVVsg+N1D9Q//4CTc/xMU1KFFT1tCXWb48jBCkPMKfFY5WxZGEl0HrHKGXjHPbf3hY9fB2ytdIFFG9V4hXw5U4i7ivk+z1DscG1OXFr/gNdnuk/ec2nIp+lvYWVTyIsyFm9ychxcj/Av+zLikw0QNjS+hcl3A9F4pRY+5Mok+y8v9m8HBSJombNydeqa/3jMq2S4Sabo5J5DoiRivgcOSApXpHaNoKDGHjMpeATZQEU5kSRwl153mKFVW/jGPEPggUoWVdy3DcHqTgfBV5QEFuMVvbdZJhANG3kZ01W3TTd0RU5P6etLeUNFbYmtb/3qo2/79zO5W17J5fcYDJRstp7bfpe98EvfZDwryjW9XTE4Gpt+EOIa9R0cST+4OeSZqp+bsdJ16PqdULwx8YqII57r3gax+fjfEtu8luunmwbmfCIn6kWMxHa32qGQOSL2yXaRT3jjtUll7X1szhpNkARI8xWN+Y60p2gm8Wf/PZg9n1n6w885b9oQPukPDLMd6z90/t+Vz68LwTzrxd0Qxl9mmF
X-Forefront-Antispam-Report: CIP:209.85.210.170; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-pf1-f170.google.com; PTR:mail-pf1-f170.google.com;
CAT:NONE;
SFS:(13230028)(4636009)(376002)(39860400002)(346002)(136003)(396003)(451199021)(498600001)(83380400001)(53546011)(26005)(82202003)(966005)(6666004)(3480700007)(68406010)(76482006)(70586007)(73392003)(336012)(42186006)(7596003)(7636003)(7116003)(356005)(5660300002)(786003)(316002)(4326008)(86362001)(55446002)(2906002)(6862004)(8676002)(263294003);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Apr 2023 18:33:09.1315 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f6530a19-5a3d-416d-3161-08db45bb84be
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT105.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR01MB3260
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MIME-Autoconverted: from quoted-printable to 8bit by mailman.mit.edu id
33PIXXFf3285880
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
X-Mailman-Original-References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
 by: BuzzSaw Code - Tue, 25 Apr 2023 18:32 UTC

What we did:
- in your kdc.conf:

[otp]
DEFAULT = {
server = localhost6:1812
secret = secrettfile
strip_realm = true
}

This assumes your kdc runs a local RADIUS server that will answer up
OTP requests. Change as needed.

- create the file 'secretfile' with your shared RADIUS secret in the
same directory as kdc.conf

- kadmin -q 'addprinc -randkey WELLKNOWN/ANONYMOUS'
- kadmin -q 'modprinc +requires_preauth user
- kadmin -q 'setstr user otp []'

Testing:

Get an initial TGT with anonymous auth
- kinit -n -c /tmp/somecache

Use that anonymous auth
- kinit -T /tmp/somecache user

Should get prompted for OTP there if that is right.

For Linux things that support 'sssd' - look a the krb5_use_fast
setting - we set our to demand.

For macOS and other things we build Russ Allbery's pam_krb5 -
https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html
that supports FAST. The Kerberos supplied with macOS sorta works but
is missing so much it has been easier just to push a build of MIT
Kerberos to it.

That's the off the top of my head notes for OTP.

HTH.

On Tue, Apr 25, 2023 at 12:44 PM Matt Zagrabelny via Kerberos
<kerberos@mit.edu> wrote:
>
> Hi Ken!
>
> On Mon, Apr 24, 2023 at 5:25 PM Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
> >
> > >make it look like you can put the secret directly into the
> > >configuration file. There seems to be a little bit of disconnect
> > >between those two parts of the docs. I just wanted to point it out if
> > >it is helpful.
> >
> > It looks like (according to the source code) it has to have that as
> > a filename.
>
> Thanks for source diving and confirming how to use that config directive.
>
> > >I've tried to configure my kdc.conf with the required otp stanzas:
> >
> > Well, it's a preauthentication mechanism, so FIRST you have to make sure
> > your principal is configured to require preauthentication.
>
> Sure. I just did that:
>
> kadmin.local: modify_principal +requires_preauth bob@MYDOMAIN.COM
> Principal "bob@MYDOMAIN.COM" modified.
>
> I've searched the docs and didn't find anything, but... I don't
> suppose there is a config item for the KDC to require preauth for
> "user" principals?
>
> And there
> > is a note at the bottom of that page that suggests you need to be using
> > FAST which implies you need to set up a FAST credential cache.
>
> I've done some searching and found:
>
> https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
>
> ...but no mention of FAST.
>
>
> And
> > I will be the first person to confess that I've always been a little
> > hazy on how exactly that works! (We do use an OTP preauthentication
> > mechanism but it predates the newer OTP mechanism you're using). I am
> > not aware of any extant documentation that explains how you're supposed
> > to use FAST in practice, which I always found a bit odd.
>
> I haven't found any documentation about configuring the KDC to use FAST.
>
> I wasn't
> > involved with Kerberos protocol development when FAST was designed but I
> > remember a lot of messages about it, but it seems like there's a giant
> > hole on how exactly you're supposed to use it when it comes down to the
> > nuts and bolts. If there is some documentation about it, hey, I'd love
> > to read it!
>
> Ditto.
>
> One of my long-term plans is to migrate our weird stuff to
> > something based on OTP which would involve FAST and I sure hope that's
> > actually possible in practice (I am aware that without an available
> > local keytab you'd have to do anonymous PKINIT and that wouldn't be too
> > bad for us since we already have all of the certificate stuff deployed
> > for PKINIT with Kerberos, but if you DIDN'T already have everything set
> > up for PKINIT it would be about as much fun as a punch in the face from
> > John Cena).
> >
> > My guess is you could use kinit -k to get a TGT based on a keytab on the
> > host and then give THAT credential cache you create to the kinit command
> > using the -T option. Again, that's just a guess.
>
> Yeah... I'm unsure how this all plumbs together.
>
> Thanks for the reply. Maybe someone else, with FAST experience (?),
> will chime in.
>
> Cheers,
>
> -m
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor