Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

Delta: We're Amtrak with wings. -- David Letterman

devel / comp.protocols.kerberos / Re: help with OTP

SubjectAuthor
o Re: help with OTPMatt Zagrabelny

1
Re: help with OTP

<mailman.66.1682460522.1964.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=349&group=comp.protocols.kerberos#349

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!3.eu.feeder.erje.net!1.us.feeder.erje.net!feeder.erje.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: mzagrabe@d.umn.edu (Matt Zagrabelny)
Newsgroups: comp.protocols.kerberos
Subject: Re: help with OTP
Date: Tue, 25 Apr 2023 17:07:23 -0500
Organization: TNet Consulting
Lines: 106
Message-ID: <mailman.66.1682460522.1964.kerberos@mit.edu>
References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
<CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
<CAJhaRZJP+Cz0RkSyOaWmjH5UHjye43k7B9G=dRechpN3Ad4qXg@mail.gmail.com>
<CAOLfK3VOZSNFhpkSKy5XsaA2mFUDVCGdjjZdna_O8M2RaAZPyw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="8729"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: BuzzSaw Code <buzzsaw.code@gmail.com>, kerberos <kerberos@mit.edu>
Authentication-Results: mit.edu;
dmarc=pass (p=reject dis=none) header.from=d.umn.edu
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.16
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1682460519; cv=pass;
b=TgKRvRU1drCcw/7JcUeDWa/ZjQ8q1Oixd0eUyvj9kAGLzpKXBW7LVu9w2GiutGzjXL+INbbtIkFt/1LOnkrulY0sIwhDvBY81BZpmBXxdIR5UgCCPPQVKVcvBYhKd5YujDhnNGVN97SFYrcPHUPLH/K2vZe98cy/cRgcHi16aKWQ46MZP+hw9TnIakqD9dUvL7hKVOGlJB86Hqocaq1QEB9+H9L+/0jbR90hMMPMuC68G76N3/I3DVQ3VlCjn0IhFSlCDjwG4z2YNa9zXNPHwhDNXOlPUORXckE5BkgWUb5SdNr4yIQwpMdaAHi0+jmcrmwEdOn6HcjPFVlXAAtnmg==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1682460519;
c=relaxed/relaxed; bh=/kOwn4GvIfTeAD6O+cH3Agxmf2bxNTGWNItFaTjiAi8=;
h=DKIM-Signature:DKIM-Signature:MIME-Version:From:Date:Message-ID:
Subject:To;
b=xdtP9A0y9wfP2hUG13cboZcrfltGo9WL6GcCqoqxpxKPqj32HQ8yS+uU4DvnYrjdjTkNlkyQkV6guV03MXTiQjtwAxNrAiHk8jYUBfOJVxP7XinSsMAUDoIqJFNtkxrgOG1953Cezh0xK6kGBs7W401+WOX3JsC/LznBwTqt8hRHrukMRGMQ45I/og26q708IjFnlZ4V0Vo9fDbCS/y/8+N/yMQYPxs41zeVhM5iSTh9OLCnl+2jPGkxei/91HEzM67/INUmKoXb+D/w1wQ4xNhoQpqsiEfz+HW+CVc17+GOSJ89S1rj7oSJB+0o4ULVnT0XpP8djC5MQstNMI4eXw==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=Uoz5QPHZ;
dkim=pass (2048-bit key) header.d=d.umn.edu header.i=@d.umn.edu
header.b=EQljWApU
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=Uoz5QPHZ;
dkim=pass (2048-bit key) header.d=d.umn.edu header.i=@d.umn.edu
header.b=EQljWApU
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=UIYBLTzU7Ndp34Pgnkw5SCrW/yG8mVHSpfu+MU+aMWzJGaD9JUNee0bJu4+f+P/Dy+gO2VQAqfJBdIuW3jb/RnRIgm4h2tuXFxFp/Wsn1wfdzJuxf9qTSrfZSHTnY4TgP2fife13l6R1KPy7N1mavio5Qn16yk2B/BwBhjA6NJMHEJ+yt7YgBP6rs3DJx6917OSU5gRUmIvHDBtWIdoQTzdUfYXX3Fa6KyGFzDOwHi3jP4g1db/L7+OzvG3PHH3WE1sIk3OM83wHbQOpEAYiBnmJ7J0gMiVS2oYzVfKhO6V12+ynphDNO+qvbN2ds8uEhfdHAXhbOA0ltc953p8+cg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=/kOwn4GvIfTeAD6O+cH3Agxmf2bxNTGWNItFaTjiAi8=;
b=YSlqM49FAezyBJHkoWB27vc6VUd12uW81b0kgmMhZ4qZDLnlx6Ko6AOiEYqBSKsToNcgQqhBELh7Kpqwvad+0GP+guUSeLC+R5SQQkusLv4leP7l053wbB0l3uNcFNTbcR0/bcsktYYcaM04cltNncKv+Q55XArWxN1iYTV5yGStbOwcYsfX7p0yYG01Rw3CBWv9OtaGWivno5CAPom2J6fAtME1EifQOETaIb7Z5HYN4jrAdUw58Ooq41KoUHbt+Wm6IETHTW9k+hmM3LMno4KZ0471Aqho5xcEXzLCWnphqbcCLCC4thqC5ilGHtFiNjeJHAYsDWulHqvko0nL1g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
134.84.196.205) smtp.rcpttodomain=mit.edu smtp.mailfrom=d.umn.edu; dmarc=pass
(p=reject sp=reject pct=100) action=none header.from=d.umn.edu; dkim=pass
(signature was verified) header.d=d.umn.edu; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=/kOwn4GvIfTeAD6O+cH3Agxmf2bxNTGWNItFaTjiAi8=;
b=Uoz5QPHZ1wcK/Q7Irllxxqc23oFEhl7q5c7Ny28YDI6nClyZQN/qLJ/JDVDnrOURe1sC3eSRk55Rz5gMBDYXem2Ef6jyt+TGIbUcsWBpoCBwPKI0fKJopGAPQENiKlli7frT9b3PxGCV96PkzEH3TL2IqN/7dUtiHSNez8Sz4yU=
Authentication-Results: spf=pass (sender IP is 134.84.196.205)
smtp.mailfrom=d.umn.edu; dkim=pass (signature was verified)
header.d=d.umn.edu;dmarc=pass action=none header.from=d.umn.edu;
Received-SPF: Pass (protection.outlook.com: domain of d.umn.edu designates
134.84.196.205 as permitted sender) receiver=protection.outlook.com;
client-ip=134.84.196.205; helo=mta-p5.oit.umn.edu; pr=C
X-Virus-Scanned: amavisd-new at umn.edu
DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p5.oit.umn.edu 4Q5bhm0GwVz9vC8t
DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p5.oit.umn.edu 4Q5bhm0GwVz9vC8t
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=d.umn.edu; s=google; t=1682460455; x=1685052455;
h=content-transfer-encoding:to:subject:message-id:date:from
:in-reply-to:references:mime-version:from:to:cc:subject:date
:message-id:reply-to;
bh=/kOwn4GvIfTeAD6O+cH3Agxmf2bxNTGWNItFaTjiAi8=;
b=EQljWApUijmNDqQhCj9AD1+Y6SFErLIXR5csHWrFrucNmCnXDFdQuwa6OP1b7pZtj7
C8jXJGasmL+U7/bLKud7PhI2VWqgQnolFmW6co6UcM3km34MVo7S207dMXUeTodBf9en
FoCIqqREYG4Ii2NO20VS68K5vHXmEpQjqMONsX9Hmqc809QuU4h1jmMYb10rYKjgRsCP
JJTEvZuXs7qmJkhLPCW+jtGtF6pLOCh0mhZ1SVZJvyS4aWOecpNgtaqmAAh5vmqmS5yO
KW+oArovSpdnF6dTsBCD4fqDqUq9NsTx2WylZwyhUb5S78dWr89TtopNx5fwiGOd/Kol
+Wqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1682460455; x=1685052455;
h=content-transfer-encoding:to:subject:message-id:date:from
:in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=/kOwn4GvIfTeAD6O+cH3Agxmf2bxNTGWNItFaTjiAi8=;
b=YMkOhjGRwVI6JzYHkZX6kEWwACpL+b+vwdaGnAppKOMgVAfQvaDn2rE6hzQGoUroiu
VgFdtuxzt37tQL6Mz1vaZdmwlyswLJYFo3fzLRXKvWXEeWSTPQZTUAtBWfrSLe+3Hp8s
5QHmKtrKfdz7qtP2WYSmHKtPlw42v84NEjqe19V+OmfYW3J5QU/DcmCIoinhgJ0aN0qB
xVYOEeJsSFVv5Eh2TWvKSnhfnl//4CXvmh2tKiIz6m+1k7IM3clHojO9KUOuhjvm2DxA
Zcv+Zp/zJFiBZ6Vi1okjwh1sMuug6NsX2TjS2D6g4gV6VSc64qMfKKRkhFtv2KFXx76X
Vopg==
X-Gm-Message-State: AAQBX9e6r6tT/mwL5+438PqMqFWcPeB9G7rQTTid0aha1XTtjBwWtjG0
zofGzIRKuicFVzjdxnWMpo6vqPWOzEeoquUReNy9eEgh9VPV0FuIaLqv1IScZgHw8zG1vyaiV4t
RJJBAnDhBXeYXNkqxvgezlyDDd4zvLKSlL5sN84o=
X-Received: by 2002:a17:90a:5890:b0:246:8497:37c5 with SMTP id
j16-20020a17090a589000b00246849737c5mr18734067pji.46.1682460455316;
Tue, 25 Apr 2023 15:07:35 -0700 (PDT)
X-Google-Smtp-Source: AKy350bHbPCW6twR9wN8ZkMLUKs04/nIcEAnkICFO9naNyq7vXFMfbehfVcMT2imDrxB4zoIc3OEg/GG1eQ5bFFV2u4=
X-Received: by 2002:a17:90a:5890:b0:246:8497:37c5 with SMTP id
j16-20020a17090a589000b00246849737c5mr18734049pji.46.1682460454927; Tue, 25
Apr 2023 15:07:34 -0700 (PDT)
In-Reply-To: <CAJhaRZJP+Cz0RkSyOaWmjH5UHjye43k7B9G=dRechpN3Ad4qXg@mail.gmail.com>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BL02EPF000145BB:EE_|BL1PR01MB7650:EE_
X-MS-Office365-Filtering-Correlation-Id: 48ff93c5-0c92-4c4d-bbbb-08db45d97a6e
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Vc4ODbP7DBy2uaGw7FZ6R2ZmFhDb5PuP3WQVHbI99xU/m0PlLj+cXkqTJq+VGPNyx8CcACydrRYtjGKLSlkWWkXsxcpuFv+t5oyhhWpaR5KbhxBc8onft2A0y1Yt5uM51UmQiBNWovpivfy8twvaNxV6qsUARv30BdPUYMmnFINrOEPsb7Lguy2/zozYoXaEMVe0OIrMH9fmAqL78ZubMsrVUIhreN1p1W/8L4oWu1BmFh/irLGGxrqC6oeBtSNLb3Ie1B6KAKHi7NifMhuhOZhVGNKQChK9fgY4tthvq4WhSLH8QBCorLnazrNOidQ9G/bVGOpYjc/cXIl/lulV5nX2+v+CTscUmKMrR25Nit6FnWHwpFqQ0n/QOmEyGVkZ+Wb8bOCfFGYw1ysxzuw5Hz2I93m/7qYcaDAhr/ks9NDtoRi3Cq7ngOpEVTvrQru/E0M59BPSJfaAQGYzhv3v11WclmzB+WY40hAi/oIlnfrQC1dAS5/mDXgwVZoTzGZAOtAy6QO8OUv994YCcNFnr+A9GoOlzZGLHHLSLmEZB80pjqIkdytqmClvisaMUSF/pFA11txLLCuZ8cr+yac8ikwM2ItA37K1RDM9JN+H8lY=
X-Forefront-Antispam-Report: CIP:134.84.196.205; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mta-p5.oit.umn.edu; PTR:mta-p5.oit.umn.edu; CAT:NONE;
SFS:(13230028)(4636009)(346002)(39860400002)(136003)(376002)(396003)(451199021)(336012)(83380400001)(68406010)(70586007)(3480700007)(966005)(498600001)(6666004)(42186006)(9686003)(53546011)(26005)(110136005)(2906002)(7116003)(5660300002)(75432002)(356005)(7596003)(55446002)(8676002)(86362001)(786003)(316002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Apr 2023 22:07:36.6104 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 48ff93c5-0c92-4c4d-bbbb-08db45d97a6e
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BL02EPF000145BB.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL1PR01MB7650
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MIME-Autoconverted: from quoted-printable to 8bit by mailman.mit.edu id
33PM8ewe3317120
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CAOLfK3VOZSNFhpkSKy5XsaA2mFUDVCGdjjZdna_O8M2RaAZPyw@mail.gmail.com>
X-Mailman-Original-References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
<CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
<CAJhaRZJP+Cz0RkSyOaWmjH5UHjye43k7B9G=dRechpN3Ad4qXg@mail.gmail.com>
 by: Matt Zagrabelny - Tue, 25 Apr 2023 22:07 UTC

Making progress... but still need some pointers.

On Tue, Apr 25, 2023 at 4:01 PM BuzzSaw Code <buzzsaw.code@gmail.com> wrote:
>
> You don't need or want to know the anonymous principal's password -
> you should use randkey. Getting a password prompt for those creds
> means something is missing in the config.

OK. Agreed.

>
> You probably need to set some of the PKINIT parameters since they seem

This seems to be a missing point in my configuration. I just followed:

https://web.mit.edu/kerberos/www/krb5-latest/doc/admin/pkinit.html

to attempt to get pkinit working for anonymous credentials.

I generated the CA and the KDC cert/key and updated the config file
(/etc/krb5kdc/kdc.conf):

---<cut>---
[kdcdefaults]
kdc_ports = 750,88
kdc_tcp_listen = 88

[realms]
MYDOMAIN.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
pkinit_identity = FILE:/etc/krb5kdc/kdc.pem,/etc/krb5kdc/kdckey.pem
}
---<cut>---

> to be tied to FAST as well in your krb5.conf on your client:
>
> YOURREALM = {
> pkinit_kdc_hostname = yourkdc.fqdn
> }
>

OK. Thanks! I added that to my /etc/krb5.conf.

$ kinit -n -c /tmp/somecache
Password for WELLKNOWN/ANONYMOUS@MYDOMAIN.COM:

In the KDC logs I see:

Apr 25 16:56:05 auth-test krb5kdc[226122]: AS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)})
2607:ea00:200:60::13: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS@MYDOMAIN.COM
for krbtgt/MYDOMAIN.COM@MYDOMAIN.COM, Additional pre-authentication
required
Apr 25 16:56:05 auth-test krb5kdc[226122]: closing down fd 14

I see the "additional pre-authentication required". I check the
anonymous principal:

kadmin.local: get_principal WELLKNOWN/ANONYMOUS@MYDOMAIN.COM
Principal: WELLKNOWN/ANONYMOUS@MYDOMAIN.COM
Expiration date: [never]
Last password change: Tue Apr 25 16:04:45 CDT 2023
Password expiration date: [never]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Apr 25 16:04:45 CDT 2023 (root/admin@MYDOMAIN.COM)
Last successful authentication: Tue Apr 25 15:06:53 CDT 2023
Last failed authentication: Tue Apr 25 15:04:26 CDT 2023
Failed password attempts: 0
Number of keys: 2
Key: vno 3, aes256-cts-hmac-sha1-96
Key: vno 3, aes128-cts-hmac-sha1-96
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH

So I remove the preauth requirement:

kadmin.local: modprinc -requires_preauth WELLKNOWN/ANONYMOUS@MYDOMAIN.COM
Principal "WELLKNOWN/ANONYMOUS@MYDOMAIN.COM" modified.

However, when I try:

$ kinit -n -c /tmp/somecache
Password for WELLKNOWN/ANONYMOUS@MYDOMAIN.COM:

I still get a password prompt and the KDC logs still say:

NEEDED_PREAUTH for the WELLKNOWN/ANONYMOUS@MYDOMAIN.COM principal.

Any ideas what I am missing to get pkinit working with anonymous credentials?

Thanks for the help!

-m

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor