Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

The nicest thing about the Alto is that it doesn't run faster at night.

devel / comp.protocols.kerberos / Re: help with OTP

SubjectAuthor
o Re: help with OTPGreg Hudson

1
Re: help with OTP

<mailman.68.1682486890.1964.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=351&group=comp.protocols.kerberos#351

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!3.eu.feeder.erje.net!1.us.feeder.erje.net!feeder.erje.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ghudson@mit.edu (Greg Hudson)
Newsgroups: comp.protocols.kerberos
Subject: Re: help with OTP
Date: Wed, 26 Apr 2023 01:27:47 -0400
Organization: TNet Consulting
Lines: 20
Message-ID: <mailman.68.1682486890.1964.kerberos@mit.edu>
References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
<CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
<CAJhaRZJP+Cz0RkSyOaWmjH5UHjye43k7B9G=dRechpN3Ad4qXg@mail.gmail.com>
<CAOLfK3VOZSNFhpkSKy5XsaA2mFUDVCGdjjZdna_O8M2RaAZPyw@mail.gmail.com>
<202304260001.33Q01xYH024064@hedwig.cmf.nrl.navy.mil>
<7586f99f-1c5e-f8c9-e128-eb457508556b@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="28348"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Thunderbird/102.9.0
Cc: kerberos <kerberos@mit.edu>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>, Matt Zagrabelny <mzagrabe@d.umn.edu>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
t=1682486888; bh=zpMSUDw441mCh8YDnDW3D6c78yZbf1wbT6srW4r9jPw=;
h=Date:Subject:To:Cc:References:From:In-Reply-To;
b=gT9Qe4XNsriZEKqRUfSsQkeVpumq1dQC0Hn6OM72QIAE7CBnlRSWOr6rovho9GKjy
pQI53IitFrS7Hlz+K6GYhfDEqR9C9z0+Dvby1sbsxY/9tJyE5L5Z+wQej6zNYOMQhm
vTevACQTf/aFcG9IFkt/N0Hr3NYPe1XHZxYSGELSiBlaxBMIkdNb0mR61fwsd5ydg6
Pzs6pAWoDPGLDbfmj3qaQ7QM6+iJrgmtc3osleheTTlJYzj7GdnpuqibniumCD0tp+
b8A7SZy16sC2O5QwNVczuWZ5RuYfA9Z9F3dF/zyMFsZ3Bo6XxsQJx1DJZ41Dn7LiB5
q5XFM2DR6YPvA==
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=ZY37K/JVAmTih9HPaEbarsmPWs8AhrN9I0R5d2s4QEEFtnX8TBDcxDn9pTyLKexMWg9lRvxsTFEM8US5WF3VUGBxm3I1uhqpgksuZnsN+nMuwoJOOOrr+7kp/5nmApJvoikNvK5sbL5Kst2OlGlB1DXFdoW8HOMXvTt68UeDpTs7wmQJnx6QOsREPEKayYbWiAYM+WgqDtEykoH1m3cq/K3Ff80giA6lY3ezhLREDjG9Y3fRcbB1esDenYmVMT56j+bIVWFVKvDBy3KNpWSN4PmdOldJ2igW6eWTEJfboQnfRIpLdFLLcOwBnetE/BhfCOZ8bGodkU8oWOnUxJ2vWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=zpMSUDw441mCh8YDnDW3D6c78yZbf1wbT6srW4r9jPw=;
b=C55wRB/ne/8VV65U3qufSQjJmT2GnsHZJvCZOb/5nwFlMfY+tb1jRv1gTWroKmgfPvIZET1H7zQqh2SfoJdeMyLA0/uFvz3DA7E3Xiz4qB2b4uXfTyQoZkBhrTy1uZBjY7yWwTwM7qOZGQaz0xuOzgFpSrEnUqsF41gqZQt6SjCRc6q/hZlu6BIhUAa6CPglUgH0Bn6Dh6RF4GtmDD0Ds0bMpG0Q/mTC/uFvAI90M4JgNtRiwBW1KPK/LYkP2xiYCNLG9cRyJte4Drea4wRywdpGmllym3HlZWI401KcZoYelc5XdC6tV5P92afSjqZYGS1k0DZSRVQD/P+QHgJsUg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
18.9.28.11) smtp.rcpttodomain=mit.edu smtp.mailfrom=mit.edu; dmarc=pass
(p=none sp=none pct=100) action=none header.from=mit.edu; dkim=pass
(signature was verified) header.d=mit.edu; arc=none (0)
Authentication-Results: spf=pass (sender IP is 18.9.28.11)
smtp.mailfrom=mit.edu; dkim=pass (signature was verified)
header.d=mit.edu;dmarc=pass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates
18.9.28.11 as permitted sender) receiver=protection.outlook.com;
client-ip=18.9.28.11; helo=outgoing.mit.edu; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
t=1682486877; bh=zpMSUDw441mCh8YDnDW3D6c78yZbf1wbT6srW4r9jPw=;
h=Date:Subject:To:Cc:References:From:In-Reply-To;
b=OcPa90aR6YH8S3E2VMMYz+FaLTdZZ8PX6b2oaAcqMYAQ5xRjflt+3eFAUAOLSpA6O
2+G/6w93Tp0+dtU6BsascFs77QXoGeu3M/n8XuFsiFlx3EI9DxW45ru3RkoTaN1RT1
2ZBK6twhPU2TCXrz0jUIyQOD7zVhhKWk4Lm7cCdZT5uSE6uM+yQyN9bR75Itd5W45A
bpN+sZ4Y8Fk8/7ECBPZgcbpxEtf3FvmAkchqLtXCL0P3sMu8g7HPxGWfFRwqDjZnwy
2ovG1JyQ8Eqpy1SX9TVSbN2iR85zyfWbE7uqdz/Gi+XPGetBtJe4NGkpbqRrCqxypH
bY7wxCeWHuddQ==
Content-Language: en-US
In-Reply-To: <202304260001.33Q01xYH024064@hedwig.cmf.nrl.navy.mil>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BN8NAM11FT098:EE_|BYAPR01MB5509:EE_
X-MS-Office365-Filtering-Correlation-Id: b9fab0ee-1a13-4ee3-9021-08db46170191
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: xl0aitk1Vpiaf/yftQimWA7ckZ627H+XZO8XocHBRwrgPg2hAhvqRJ2bD8nGHzBfQpY/BriPFU6Smdxfr+UiMm0egqQiNgF8vLQHrpr2Qn+87hUETuPIVmbMpE3omVkLlK3dcvmALOYWjQwxFtyUhyrVU6L4VcftZ96Y6KXLblaAi24AbVtnmqK9VYzhFZrhbd+FB0RPh8yWYGvC9//aFlCRFTbakoc1rMjFRNvxnKxRVzvUt4F5S7brLeCDmDBxCWG/NyZmNESmASwWKDFEuCtFvmV2uaRmiiOM/5KbZNsPddkDs7ykKjV2ctXgMZwSGBNpd9xDdsFPUQ3Wiyzueso7IGLITIKR9cLKYoStKlXfBTKxXrvLAjEscW3MAQZumpRtCv8BJGYrA3pFeeg0hTPlBa0feP1tP25/jy0bVy70M+qpoVG18mV2sX9hhemHFMBT6TqIdgLX8iMZwMzbYfmhouAzBP9fCFDbVKl2Y3PPXVGdUo/0TbRfDcPd7jzc0qrSJysXMyM/2Qitnnddcb+1EJamUQyJDe7s1956p/8VL1NNGcw/ejahnJcpu5oFJzx3XCzdARrBgFIjJb3g4Z7Aihzk8TA3Kg6hZFs85LnhpypOTQgTLR8RxNTw1ONiU9RY6q9qFCLyvsduLNPZBGYFsXP/WfGOqj6CcUx0MtxbOZeNuONfsLMERFc8E9irzv+/5G4sXIuzPGJJc2NXHJV5j/PG6FFEYUmd1o/EdJXdlHO0CmN8bhWk/MnKS2JS
X-Forefront-Antispam-Report: CIP:18.9.28.11; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:CAL; SFV:NSPM; H:outgoing.mit.edu; PTR:outgoing-auth-1.mit.edu; CAT:NONE;
SFS:(13230028)(4636009)(39860400002)(396003)(346002)(376002)(136003)(451199021)(4326008)(68406010)(70586007)(6706004)(7116003)(5660300002)(31686004)(316002)(786003)(7696005)(2906002)(4744005)(8676002)(66899021)(86362001)(31696002)(110136005)(478600001)(356005)(2616005)(956004)(6666004)(75432002)(3480700007)(36756003)(83380400001)(336012)(426003)(53546011)(26005)(43740500002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Apr 2023 05:28:02.5691 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b9fab0ee-1a13-4ee3-9021-08db46170191
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT098.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR01MB5509
X-OriginatorOrg: mit.edu
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <7586f99f-1c5e-f8c9-e128-eb457508556b@mit.edu>
X-Mailman-Original-References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
<CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
<CAJhaRZJP+Cz0RkSyOaWmjH5UHjye43k7B9G=dRechpN3Ad4qXg@mail.gmail.com>
<CAOLfK3VOZSNFhpkSKy5XsaA2mFUDVCGdjjZdna_O8M2RaAZPyw@mail.gmail.com>
<202304260001.33Q01xYH024064@hedwig.cmf.nrl.navy.mil>
 by: Greg Hudson - Wed, 26 Apr 2023 05:27 UTC

On 4/25/23 20:01, Ken Hornstein via Kerberos wrote:
> First, there's about 500x ways for PKINIT to go wrong, and when it does
> go wrong 99% of the time you fall back to a password so it's hard to
> figure out exactly what failed.

Assuming the kadmin client and KDC are running 1.12 or later, you can
create WELLKNOWN/ANONYMOUS with the -nokey option (instead of -randkey)
to disable the password fallback. Or you can "kadmin.local purgekeys
-all WELLKNOWN/ANONYMOUS" to remove the principal's long-term keys once
it already exists. If this is done you should get PKINIT error messages
from kinit -n if the KDC offered PKINIT and the client couldn't make it
work, like this:

$ kinit -n
kinit: Pre-authentication failed: No pkinit_anchors supplied while
getting initial credentials

(The PKINIT doc page still says to create WELLKNOWN/ANONYMOUS with
-randkey, even though it talks about the -nokey option for client
principals. I will work on documentation updates based on this thread.)

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor