Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

A modem is a baudy house.

devel / comp.protocols.kerberos / Re: help with OTP

SubjectAuthor
o Re: help with OTPKen Hornstein

1
Re: help with OTP

<mailman.67.1682467347.1964.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=350&group=comp.protocols.kerberos#350

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!news.1d4.us!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: kenh@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: help with OTP
Date: Tue, 25 Apr 2023 20:01:58 -0400
Organization: TNet Consulting
Lines: 37
Message-ID: <mailman.67.1682467347.1964.kerberos@mit.edu>
References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
<CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
<CAJhaRZJP+Cz0RkSyOaWmjH5UHjye43k7B9G=dRechpN3Ad4qXg@mail.gmail.com>
<CAOLfK3VOZSNFhpkSKy5XsaA2mFUDVCGdjjZdna_O8M2RaAZPyw@mail.gmail.com>
<202304260001.33Q01xYH024064@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="31579"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: BuzzSaw Code <buzzsaw.code@gmail.com>, kerberos <kerberos@mit.edu>
To: Matt Zagrabelny <mzagrabe@d.umn.edu>
Authentication-Results: mit.edu; dmarc=pass (p=reject dis=none)
header.from=cmf.nrl.navy.mil
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.15
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1682467344; cv=pass;
b=0rkfwHQG2PplmSRghK9LsfpvMdM364dHMlqX5wP/SMqvtaKxLwT7drSPatevApP74eJYHf6PtRQdhPKe2AYQHrsr6MfybmdXLYxV4cXWN5jaM//y2oe+d/Syypj1xLXSKTr2mVGF4e5DyROCorPEb7Pyze3v7r4yk9MRzaxC7OjXiCYmUIFMcBSMZJWrSkatcpuxgbKGa+PFGc5YQdUvptBGPGawJc5ErH2/Ftr1o+PRyTiL4o00tZ2jrITkNQLJOvabZVXciG+zouQy327gZLdUvJnrA8W1PrO+CiF7CUWBJv357ltBpRgay1oQYcdqGpLq61Kzs8WkIFUfgnEbsQ==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1682467344;
c=relaxed/relaxed; bh=Ln63DLMptxmT002TU4HdxF3f8fPKDdeP5yMYXFk76EI=;
h=DKIM-Signature:DKIM-Signature:Message-ID:From:To:Subject:
MIME-Version:Date;
b=vyfpxwQgk6LXPh8oS/I4PvlZiwvluX9KuT/KVV8Elh9LcqS6AKNiVpmHpsiCx8UVwYVMnB5vjcm+EKkbl53F4OUOR3qkTNrrbu9Ne1RTU66XEmiOhamfAW2jSReGM+IoLzKqO5e3p7m/NrQWGc43GAiGRwmSo99SfrHJlpNV2ogvaKHGDGC9L/J/j0kzR+/gRod08Qzzjpm+6d9MeRqMjpV4Q9TH4XLHzGLPRU8VTW34gpy4hH5NGCBgiPM1Ilp0NUXnt+HrNVajN8WT5ztvL9BBhGbuOKA9yeUhOrQkqoX9rjQT2c9aJ3EcanFP7KVQmi1izYdgdI+itZEM/l0ueA==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=gBCJy0J8;
dkim=pass (2048-bit key) header.d=nrl.navy.mil header.i=@nrl.navy.mil
header.b=GMqC9Wtv
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=gBCJy0J8;
dkim=pass (2048-bit key) header.d=nrl.navy.mil header.i=@nrl.navy.mil
header.b=GMqC9Wtv
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=YYbe8rIyGMCU4VBYQOVKawMHb6siXyDOQyfI+Ph5TCt3k7SumamFEiIdcFDbgCorRl4m3vS04C8H45h8RZkYTEZYKezv2E8MnkJhuXL4jem16hd4Y0ShLYjJfHYXXw8clEPaKdXyF435ex5tkfXENS+NtF0Xe5lY1XmRyR8H0gcEg75c+7PtTsBMLLwEojH+JLiIljFmoH7txqJMS6z3GsYhISYqdZOCjWMr5AsTN8ijTPS5toCqQPzo7Wqzlfo5pKgriCR9Nuatpy/GJsuDjGQWTBOsWXi3Oyig5QBnsvxAE3+r3XM7Py0heZzodK4WnxfZi0m6FHGwaTs5QaWzLA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=Ln63DLMptxmT002TU4HdxF3f8fPKDdeP5yMYXFk76EI=;
b=dDNS9EliVa3AynjGaUyDUxFkx2NFRqENvkXLfijeZwcGLJaW9kPeeobINrSeBzaLgDX2ma4yZqzzbr7a9i8xktjGENvVRB45PQzdhfAlu9l6EMagh2UIItcGGVAptWvvDwhBogH4f46cJicNGwGCW7NnEnnf6tRmhuUyfaAGdaIitc1E3HrRVWU0ju1ee1JeSmEy/h1B9LKyeDBBoL76e/jpAfiCPbLbmQmelAM75r+9CmWPi+CpvJZTwdE9r6mW1d6u6Pe9VhuS0VdMB9Wb02bhARU+5AIZBs+HmfVQB8DQI4sEPljRVK5psjpigtRcoH9g7y/yovXYJPKTMClWPA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.61.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=Ln63DLMptxmT002TU4HdxF3f8fPKDdeP5yMYXFk76EI=;
b=gBCJy0J8DaVDKE0nEhkBO//ZlG1PEz6Rv+plImHgEdYQdGkmViuNXRkUeF48R6YKe1RDDIlTyOqUCZqXRE6zMJhWp2Ey5YphgRXjPHRrXrjyU96OQt91sZGQioSXsuoi3SmmD0QXpkbpl0wdX4wOcUQRMfK6tWt880kFteZHHZk=
Authentication-Results: spf=pass (sender IP is 140.32.61.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.61.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.61.234; helo=mf.dren.mil;
pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version : content-type
: date; s=s2.dkim; bh=Ln63DLMptxmT002TU4HdxF3f8fPKDdeP5yMYXFk76EI=;
b=GMqC9WtvuM3ZJCKOLE7ovW2ZbFLRnUVGWCnfCD5E2XD/aOybD6Ft2hRLoIVQdqpMJiBy
30L1u7CXhvGFtDNRhDzGP7rcOUmfjAv4Yni0oE6us2IukAMg/KljWkWSPsTnj7OWQM9J
d0WLyYc4taApkQN3K3uncPBbPBwAAkil3NMtccjPRroieamsHoFq9O67jKPQmSYwL/HA
bJSFZrnLUnFUnh2COwgyjr22R69XTBBIH1oC1Zp9XqvRMh+7CuHKSrIIlIPnCagQzM/f
zQFxa0drYKtn7foRwWxO2oDeBYUX+6ja6PBqQ+Yuy7lK5mIdCAfGIe6p/7N5+diTLd39 4w==
In-Reply-To: <CAOLfK3VOZSNFhpkSKy5XsaA2mFUDVCGdjjZdna_O8M2RaAZPyw@mail.gmail.com>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned:
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BN8NAM11FT019:EE_|SA0PR01MB6171:EE_
X-MS-Office365-Filtering-Correlation-Id: 9e762629-9605-40bb-176e-08db45e97876
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ZujqllALbflEfbarwrOy7VKiNzJsGbTScXMJi/Zr2Y/k8BGLa9V8wXFEuqHwyjWnteZTKQ8BdL1MDP2uCUBzWuHd2YelkQ7SCqka/s9u7wVAcXd5ZUQZCT0Cug7AjylaDfI6c1HgV16wTpE6GGqS+Qym0j+qv+F30wzGDM0TgyRQtY91xW1E9F+gBxGkYq0FNiipiSpPC6eeR6K+tWbMuE/lH/C9nyqaPD/qXsnBasiZ3F6atmspFMDhlsRV5tBCUU85iGX6W6teuGYgP4f9OJyq5Nd4NvhVHO11xpTew3ih+CyFw7jyf1OjJqyfx7hT6HsNaaojabWIa5YWuDAxUneLCe8uACa05JYohmknCiuWFAPX4UzYswYzb7+IFqRgYXs+T4NwHzZgjhrhUpL9eCPOtm6w5UVuFCu12ghA2I3BAmgmgvCQwmDQr+v3VeNptHVV3odfE7Ep1XAlgpj7ricJgyOHDwx3WWHuFMqIGrv2WLJCnKFj9VoXYyLsYXNitz1n7EBYTPgZfh4Mu72taoXeZ82xIggtcpd1fdZqNEZC+sy7R6sekCjgvNPwCVZlVhvQt4lRahuxNpLtJj8iAyPR4M4Gq48lNTb4lIuqyFo=
X-Forefront-Antispam-Report: CIP:140.32.61.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfw.dren.mil; CAT:NONE;
SFS:(13230028)(4636009)(346002)(376002)(136003)(39860400002)(396003)(451199021)(54906003)(498600001)(786003)(4326008)(70586007)(68406010)(316002)(7116003)(356005)(7636003)(6862004)(2906002)(8676002)(5660300002)(426003)(336012)(3480700007)(1076003)(26005)(86362001)(83380400001)(956004);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Apr 2023 00:02:05.1571 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 9e762629-9605-40bb-176e-08db45e97876
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT019.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR01MB6171
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202304260001.33Q01xYH024064@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
<CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
<CAJhaRZJP+Cz0RkSyOaWmjH5UHjye43k7B9G=dRechpN3Ad4qXg@mail.gmail.com>
<CAOLfK3VOZSNFhpkSKy5XsaA2mFUDVCGdjjZdna_O8M2RaAZPyw@mail.gmail.com>
 by: Ken Hornstein - Wed, 26 Apr 2023 00:01 UTC

>Making progress... but still need some pointers.
>[...]

Remember when I said setting up PKINIT is about as much fun as getting a
punch in the face from John Cena? Well, you're about to discover what
I mean by that.

First, there's about 500x ways for PKINIT to go wrong, and when it does
go wrong 99% of the time you fall back to a password so it's hard to
figure out exactly what failed. I work with a large PKINIT deployment
that uses smartcards on the client side, so I feel I can speak with
some authority here. But, some pointers to get you going.

- You can use the KRB5_TRACE environment variable (on both the client
and server) to figure out if PKINIT was even attempted. Do something
like:

env KRB5_TRACE=/dev/stdout kinit [... kinit arguments ...]

That should at least tell you if PKINIT is attempted and if it is
being attempted why it failed (but it will produce a lot so it requires
some experience to determine the useful bit you need).

- If you are generating the KDC certificate yourself and you do all of
the right magic (as specified in the MIT documentation) to put the
realm in the certificate you should not need this:

>> YOURREALM = {
>> pkinit_kdc_hostname = yourkdc.fqdn
>> }

- Did you put the right stuff to trust the KDC certificate on the client?
I did not see that. The PKINIT documentation does mention that you
need a pkinit_anchors entry on the client (at a minimum, you may need
others).

--Ken

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor