Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

Any sufficiently advanced technology is indistinguishable from a rigged demo.

devel / comp.protocols.kerberos / Re: help with OTP

SubjectAuthor
o Re: help with OTPMatt Zagrabelny

1
Re: help with OTP

<mailman.65.1682453805.1964.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=348&group=comp.protocols.kerberos#348

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: mzagrabe@d.umn.edu (Matt Zagrabelny)
Newsgroups: comp.protocols.kerberos
Subject: Re: help with OTP
Date: Tue, 25 Apr 2023 15:16:22 -0500
Organization: TNet Consulting
Lines: 64
Message-ID: <mailman.65.1682453805.1964.kerberos@mit.edu>
References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
<CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="31694"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos <kerberos@mit.edu>
To: BuzzSaw Code <buzzsaw.code@gmail.com>
Authentication-Results: mit.edu;
dmarc=pass (p=reject dis=none) header.from=d.umn.edu
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.16
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1682453803; cv=pass;
b=bNhMkuWgOc4h/nINR/cfIEj+cxkcc+tSqAhnwJf5YoO/UqDx7aoxwnPs2785Y9twwp+ang8V+/e50SzvySqdDhmrF7UpvXGQrT4x8KupBGMCr391RKr7U9LlrX6V6nDN9n/4sa4sDdGksDo+W5+YGOqh4LGZ04tGdAoNCoJyqIjFyhv9U/VMcKblbImW8oN4NDMko+oW3s+9Dn9oA1NIAbwMNJcQMFmJwstpf8dPrlrBiwkYeDJptdZ5wtC9ygujN+OleEvz3ksjwsvOem6tTqr2N9nCY8NuMhUBgG0ktv0nQGEZUW8Wn+7JzUgxJziSdqYooohVwlHlIJsl60UNpw==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1682453803;
c=relaxed/relaxed; bh=rz+zlheJC95QgIR+b2QyE8sC1zdUeItW8xCDCuoCGNE=;
h=DKIM-Signature:DKIM-Signature:MIME-Version:From:Date:Message-ID:
Subject:To;
b=trUSIzQ0eNR55Ic+rAuKwb2Tc86yj8NSfQV5UfBqeUgFAgxDqms/niV13WESyREWeJ4Aw1HjVD/r2qhh4yDJ1tyVVVdmjLO9O814oEhUPOTJQ4hXxZSTYyB41zrI7r+g+19nvFGZTPCxaKlSg+csryv73RsRTrkGjjKCcQ8DdD+ar2kylaFDqnvSdwPJttvAlEnbtTw015DAl+vVpyie+Niq3cHus40K7HREo6jCz1hzAso79s/iG0Wjca6jYIKdmCPTROtLgVb4k9/HfNOQQwM4nSHrNeEOloTIP3BfkdT+vH4kqnGf280ZoMeIPrVtr2z+RMkJ5/Qi059qT6lKEQ==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=SqpIbPZe;
dkim=pass (2048-bit key) header.d=d.umn.edu header.i=@d.umn.edu
header.b=Vrfk6IG5
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=SqpIbPZe;
dkim=pass (2048-bit key) header.d=d.umn.edu header.i=@d.umn.edu
header.b=Vrfk6IG5
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=d9663hNWOq2kXEk6vn0FU14E9Vq1HUT/S/UboZoc7wWkyfri7JIq67L6XR5vvNNLHZqFDilIEWVw2XG0VK3PMqlT5D8IOnkne3yGqWGFFVDFcruGhNCf4UaDFn3N4DHom1hYmgxr/ydA9907cXUDL+ENKd84K9COu14WQJKwlTqgiJP7caapampcyRnRNbYHVhl/lflMIL7ayZxQZDIYIi/STC2rN50iu/7TMEwoyYpY4aUsSJ2R1pq3/7jRyP3braOQv81Frae8XGZ1CBnb4lCzjsW2IhUz0VUX0dmPQbzPRH/XZkuk9ulbfdUaqT4kICELC1gyG+S+nG+ZdKUmOg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=rz+zlheJC95QgIR+b2QyE8sC1zdUeItW8xCDCuoCGNE=;
b=XfalTFBj4cpFFrgIhZi4ttpjVLDgb6QWgUq7e9fxkHKsy6JlHT4/MfIXb319vcC8ggBRNTVR4TcRTF6me2HKW4fvpu21f7NbgObzkBMHOpiDo/dNMaNvvwNcmANAxkQxaLBPof0kyDAdsACLiCkJvqXm0Nl9RLCJzAwiNx5Ppx08GkWWJqrZI31kWT7+OLrsGGcFyoGXvJZOfGJnwD9JEjSIHqCHX8/VcwudpHxxUFkuCvsm9fqn8DxxjqrZp4LBCyCjTQZTnAJA6gYd9puR3OUUiaOrXVtOjZpIGa7KvP5nZ/GaiLQVSRVmGxjKjaN6NlaEiwzJshrUYAuz0AXPDA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
134.84.196.205) smtp.rcpttodomain=mit.edu smtp.mailfrom=d.umn.edu; dmarc=pass
(p=reject sp=reject pct=100) action=none header.from=d.umn.edu; dkim=pass
(signature was verified) header.d=d.umn.edu; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=rz+zlheJC95QgIR+b2QyE8sC1zdUeItW8xCDCuoCGNE=;
b=SqpIbPZe1TBiv6WyrjA0LRHQmfVoKuQfWQRYkU/qqnnGokrANARoYpH1iNK/8cLCY5Pl9VvavsxUBpsLyffWz6IlD+QwWoqLSxoEB+C/V8awIcvnMqjIphlaV/PSWfZcCD6uYPz47Z5Nv2cqcsOlDnNX/prh+MbaYrh3CH4xxBg=
Authentication-Results: spf=pass (sender IP is 134.84.196.205)
smtp.mailfrom=d.umn.edu; dkim=pass (signature was verified)
header.d=d.umn.edu;dmarc=pass action=none header.from=d.umn.edu;
Received-SPF: Pass (protection.outlook.com: domain of d.umn.edu designates
134.84.196.205 as permitted sender) receiver=protection.outlook.com;
client-ip=134.84.196.205; helo=mta-p5.oit.umn.edu; pr=C
X-Virus-Scanned: amavisd-new at umn.edu
DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p5.oit.umn.edu 4Q5YDh3txSz9w2vR
DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p5.oit.umn.edu 4Q5YDh3txSz9w2vR
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=d.umn.edu; s=google; t=1682453795; x=1685045795;
h=content-transfer-encoding:cc:to:subject:message-id:date:from
:in-reply-to:references:mime-version:from:to:cc:subject:date
:message-id:reply-to;
bh=rz+zlheJC95QgIR+b2QyE8sC1zdUeItW8xCDCuoCGNE=;
b=Vrfk6IG5PPooTAkx5LnQF5l4L/dM5txuT4RVXyWnS8worhsaxpmVrONkfDA7pGibw3
KemtyVIcbPmEhVwpAxe0O5jR5kAwQLoe308hneyF8h/ueuoCNEXzTbb38P4AKWtx5ZGy
YWxlkuoiUQREdcsQJyQGEKzMklKywIFnHLkWXLflbU9Xbte66yX+LILfBIaZoaj3Da3V
Biq/15xGsCxZT7WFY6Tu+Jz6mLafSr9zZAbO7Ejt+vEgMsn+RN/wVQOhFfYXceWz57fp
PQk6fDoQbjYnaZNQNJffzcNy1HRro6f33mzZkaer9ctG+MFovEu+jJ7y4URrvVUiO1sC
gK4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1682453795; x=1685045795;
h=content-transfer-encoding:cc:to:subject:message-id:date:from
:in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=rz+zlheJC95QgIR+b2QyE8sC1zdUeItW8xCDCuoCGNE=;
b=g1xbLJPUiUtkjW3Lf+vt7Kp2ypbtxx5QzC9PtoAwudvW3dGZzFwKGKzg2kKgxGvMgX
gWIk/QIFY8UfzaBoUqxcOBE9PV9Ly8nJvB1cvALjUwcMB7pQ+60iQDrzsPOMz7/QRu17
ErJpYc8UbMmilTle0PvZw6DZH4jvrQOWd6EO4cufzXopOR+LRaAXiHCX99M0igt7SZ/v
ho0j10oI3EckRnHveBP6tUiA6OJhPMrYRcMMh3fKjM4719Oczm+1eDphK2Y/jbhyz43L
tpSZigApCl7501evWdtOC+OjkOC6CCsrDp2aWQDXfH5LxbvyqkGs46Xr33b/yiCwnq2m
ZBBw==
X-Gm-Message-State: AC+VfDwlfAYIVFAEmiprQFyjFSO3vjZ5DhRsNVFMSuYt6kF3R4cgcRA0
WI68pZ2vzAQO6XmdqRFUIaFCUYP5/hJZOTHt1jhxU9jH7df9Xu9/qh2v7zB8amb8eMpe1VnFlIu
YKsrMzAY5dk1ExlMRpDpJdlkOEb3fgKMcoU0JRHs=
X-Received: by 2002:a17:90a:c252:b0:247:c261:7b79 with SMTP id
d18-20020a17090ac25200b00247c2617b79mr104906pjx.6.1682453795552;
Tue, 25 Apr 2023 13:16:35 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ5281To5cVwcTBLj7CVEgidXtgLtTal4cvK3mlqMN5llcE/TCFbsuekF8O+r/+dPktN3DVHzOUj5JMhcmZA/lk=
X-Received: by 2002:a17:90a:c252:b0:247:c261:7b79 with SMTP id
d18-20020a17090ac25200b00247c2617b79mr104895pjx.6.1682453795265; Tue, 25 Apr
2023 13:16:35 -0700 (PDT)
In-Reply-To: <CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CO1NAM11FT021:EE_|BYAPR01MB4054:EE_
X-MS-Office365-Filtering-Correlation-Id: 81974385-ce43-4287-5d85-08db45c9f92e
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: f4lzeK/3oZDCFArm8PTtrGKOsG6/BsuGYaTDkN0Xpsq3OXTHfkBF1fGjgLV4Bh5WPu0WcKj9HdE3b042PlRMDee4kUW+9KMMgQjLwU1JvxyCF6+lT5KyiXFO89ly4GqdnJ2pAAaVBQiKZE2XoV9SqL1N9zXoEP2OVTEdbTVMCWoeR4CkvGT2Ju2CK3+9a5HmFkDkFo8B42tJeJhHrfExO7XEvCacydxDMMpmsQxaHi6XCP/1xyYKDvO6VaKfr7XQ3Cpph1ZW4ODPegp2Usbc/PKPq6V3qZw9aKUuBAeCHj4MN8Sz8am4I8WCLUKgxwdO17AtT9u473nhKqw5IPU4lTAf9sSSk+aSWHgqzHmuBbALX93Vc7ckPjwpJX//x/C7Rceg31ylget9+9/rJHO2+8pFpC9stUJSHNRHgsnvAYlTXnXbUssmT9D4IlIjNRZ84Imhk3mnc7eilhvpAzSv6Mjlu9obm+SxrWO4wSVWYtgTd4YDoHfhfOufoHyimW4V0DOBgSj7MyNSDfStOrOudxdRjjftf4DXt8q9xJiuWK7mqktEGlImAwwyw0SPkWQZDHk2k1SG9nSE9Eztvqrh1/Ssy125RhkmCDHzRW26uQw=
X-Forefront-Antispam-Report: CIP:134.84.196.205; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mta-p5.oit.umn.edu; PTR:mta-p5.oit.umn.edu; CAT:NONE;
SFS:(13230028)(4636009)(136003)(396003)(346002)(39860400002)(376002)(451199021)(7116003)(316002)(68406010)(70586007)(4326008)(786003)(2906002)(5660300002)(8676002)(6862004)(498600001)(83380400001)(6666004)(42186006)(55446002)(75432002)(9686003)(26005)(53546011)(336012)(3480700007)(356005)(86362001)(7596003);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Apr 2023 20:16:37.3271 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 81974385-ce43-4287-5d85-08db45c9f92e
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT021.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR01MB4054
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MIME-Autoconverted: from quoted-printable to 8bit by mailman.mit.edu id
33PKGhtm3301816
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
X-Mailman-Original-References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
 by: Matt Zagrabelny - Tue, 25 Apr 2023 20:16 UTC

Hi BuzzSaw,

Thanks for the reply!

On Tue, Apr 25, 2023 at 1:33 PM BuzzSaw Code <buzzsaw.code@gmail.com> wrote:
>
> What we did:
> - in your kdc.conf:
>
> [otp]
> DEFAULT = {
> server = localhost6:1812
> secret = secrettfile
> strip_realm = true
> }
>
> This assumes your kdc runs a local RADIUS server that will answer up
> OTP requests. Change as needed.

Got it.

>
>
> - create the file 'secretfile' with your shared RADIUS secret in the
> same directory as kdc.conf
>
> - kadmin -q 'addprinc -randkey WELLKNOWN/ANONYMOUS'

-randkey. Do I need to know what the passphrase is?

>
> - kadmin -q 'modprinc +requires_preauth user
> - kadmin -q 'setstr user otp []'
>
> Testing:
>
> Get an initial TGT with anonymous auth
> - kinit -n -c /tmp/somecache

I tried this, but it prompted me:

$ kinit -n -c /tmp/somecache
Password for WELLKNOWN/ANONYMOUS@MYDOMAIN.COM:
kinit: Password incorrect while getting initial credentials

....so I went and changed the password for the WELLKNOWN/ANONYMOUS
principal. Then...

$ kinit -n -c /tmp/somecache
Password for WELLKNOWN/ANONYMOUS@MYDOMAIN.COM:
kinit: Reply has wrong form of session key for anonymous request while
getting initial credentials

I've never requested anonymous credentials before.

Does anyone know how to correctly request them?

Thanks,

-m

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor