Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

If a listener nods his head when you're explaining your program, wake him up.

devel / comp.protocols.kerberos / Re: help with OTP

SubjectAuthor
o Re: help with OTPMatt Zagrabelny

1
Re: help with OTP

<mailman.69.1682522004.1964.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=352&group=comp.protocols.kerberos#352

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!3.eu.feeder.erje.net!1.us.feeder.erje.net!feeder.erje.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: mzagrabe@d.umn.edu (Matt Zagrabelny)
Newsgroups: comp.protocols.kerberos
Subject: Re: help with OTP
Date: Wed, 26 Apr 2023 10:12:15 -0500
Organization: TNet Consulting
Lines: 366
Message-ID: <mailman.69.1682522004.1964.kerberos@mit.edu>
References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
<CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
<CAJhaRZJP+Cz0RkSyOaWmjH5UHjye43k7B9G=dRechpN3Ad4qXg@mail.gmail.com>
<CAOLfK3VOZSNFhpkSKy5XsaA2mFUDVCGdjjZdna_O8M2RaAZPyw@mail.gmail.com>
<202304260001.33Q01xYH024064@hedwig.cmf.nrl.navy.mil>
<CAOLfK3X+3LSdOfA0vpDDiPi3RC7GUb73+jZTYje7sjDfQVu96g@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="24456"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: BuzzSaw Code <buzzsaw.code@gmail.com>, kerberos <kerberos@mit.edu>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Authentication-Results: mit.edu;
dmarc=pass (p=reject dis=none) header.from=d.umn.edu
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.9.3.18
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1682522002; cv=pass;
b=IhLkh+ffzlIR5layGEs0wr4awksEUO8eZOnCQvn2cQtLSlzfWA+omQ2gjU2j0I3q5btljGZcDBF4xu7Eh2n93DslZ5ZhXqSxO6KSl2GkTRnd2p3H8phZVQWu2/3z1MdkhOT41kXBAubdyGOFAmzIrzVfZ6330nCqzZ5JfQxX8wA9HiayqZnx0F+DnAytLc1AnUgM9pkGmrXDWP7dCUGj+ZNqzNNVS4kYG+ZMWJFiujXDFCQQORxl24sjRPy/rttHuHWAtkCMjFDnaLbxwFYDCxpcnxgsX+CIQugIfGRkGnDe3Ld7RJDvHAgzy6+0Qj6Q0n9PAkATjwzkxkFLXqUuxQ==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1682522002;
c=relaxed/relaxed; bh=1SqmzS4oCihpy1AhIXMewW3cRi/VAiGYV5Y27Q3d4s0=;
h=DKIM-Signature:DKIM-Signature:MIME-Version:From:Date:Message-ID:
Subject:To;
b=R/jBImYe7UQcOUxrNR4bCWTuwvZ0f2ufNwymqREJ6HcEA7Xp5zeGiHU1e3cIQa4CZdb2hC5X7Zz4R5gcD0zG43ErZ2fpUj1BmqqXlh9/HGdNOzCmsTq6k3jDJJZ2PlLRnyA1wUxibKNkJ/DhWkpv3Af53RCGqYE74Jt5N7WI2OL2kqNCSAv5v7lYS9l0FAWjyxwAPFDnm+cgBC7C/TtnaQjQ9p4V9AnRTsdHuE0/yNsZp8AWX9mxo95cN148uKpRSfzV5XAkTQ55OocVbmQLvaYZj4eKBR/bqqnVygHTEo42nNle7csV7wncSi0rq/3BZQMJF+kI1RQI/TD6r1P9wA==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=M/fFh1rW;
dkim=pass (2048-bit key) header.d=d.umn.edu header.i=@d.umn.edu
header.b=Empuda1v
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=M/fFh1rW;
dkim=pass (2048-bit key) header.d=d.umn.edu header.i=@d.umn.edu
header.b=Empuda1v
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=R1LTxMJotzIhCh+iHQ8gJrnPGAc4Ldqxwg4l6gtza5pWL7g8TqCTzXA29bzRho9/YjPYkNWPVpbMgZF6koM1PxmMA5EiLbDWiCo8nTuCtWu7Jwo46BhRN2QpecsMhN3HKfWihClecjBWJJXw3fPJCOYkJ7XxPgULmRB9r+ftvtH3ohcVxy6MzcLyy/pM84GOUIrSOy5C1+AVlXNg+TwXNFTTHywqLE60B/AmNdMcY7JzfgLZPtD2ROP5NzbBcKUPgMBVgDWQgChVPHI+p8UCGHAButnTy0H1JdTCu0ovNFv+OQeG/Wcnw0RY/CJNPGsbK3oTtpmK7tdz2O+lVlAGww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=1SqmzS4oCihpy1AhIXMewW3cRi/VAiGYV5Y27Q3d4s0=;
b=HeeZz8+C25NZBqred6eWY6fVgZ8xwESSVNEcO7d8Xpbpw3YicBmtKM3fJJKsccv+cSxrnSRpid+0PUeTLJ8SeRDRVg8SPq6NL4GZBN19nHQuk5z2k4fKpZ1ebWMR/QPij7E2KMMmBeFy+ArOuiRA1VPCrtC2clMYIk/MSjHB7mPbWRGu/3NODAuDHu8eVyv+iD7twaO99xr26vANpCcA23h4SZkUm55bjxPLyN3FIMQZFI0ImZ4IeCPPeg9GdWOPn7LW8TFrUeUIbiSbJ56fB9Cq9guVmrjXoHUFuFqdSKNWOJ1VzYLuDxP8kPopp5xWHl+PonAxJnTfA7yVp/5QHg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
134.84.196.205) smtp.rcpttodomain=mit.edu smtp.mailfrom=d.umn.edu; dmarc=pass
(p=reject sp=reject pct=100) action=none header.from=d.umn.edu; dkim=pass
(signature was verified) header.d=d.umn.edu; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=1SqmzS4oCihpy1AhIXMewW3cRi/VAiGYV5Y27Q3d4s0=;
b=M/fFh1rWP9JUwjEB6ORvHykAy5mHvl+PZnkb8FX2PlOZoldeH38D1/uIXpaY6TFLmsetsAb+TqeJ30EklrxaDFU147r6wRjTKjzagAt2/SoD32CQjh/DbG/PeBRbIoUyD/KKLTNXe+JWxNlbguIIhhfPXq+W64IqmQCho3ki3js=
Authentication-Results: spf=pass (sender IP is 134.84.196.205)
smtp.mailfrom=d.umn.edu; dkim=pass (signature was verified)
header.d=d.umn.edu;dmarc=pass action=none header.from=d.umn.edu;
Received-SPF: Pass (protection.outlook.com: domain of d.umn.edu designates
134.84.196.205 as permitted sender) receiver=protection.outlook.com;
client-ip=134.84.196.205; helo=mta-p5.oit.umn.edu; pr=C
X-Virus-Scanned: amavisd-new at umn.edu
DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p5.oit.umn.edu 4Q62RK1t9Tz9vj3C
DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p5.oit.umn.edu 4Q62RK1t9Tz9vj3C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=d.umn.edu; s=google; t=1682521948; x=1685113948;
h=content-transfer-encoding:cc:to:subject:message-id:date:from
:in-reply-to:references:mime-version:from:to:cc:subject:date
:message-id:reply-to;
bh=1SqmzS4oCihpy1AhIXMewW3cRi/VAiGYV5Y27Q3d4s0=;
b=Empuda1vIIXINulCnJL8Fvvv8C+yusAE22wqAPa5crifTKLKn+2mHz6WReaa3e82Ed
n7HbeO1TMQlfo/lS9KuGZTlEDB93wYitTcPjZgnQRVPG5YCkttstxVfUXq/OhOn3uaDp
cyDWECYgRquLxbEL+oW7RNy7jjQYH+1ImKXwI/vYZA1j9rW3PYSo5kfPhlih7WkLVVx5
LYhH7u1PTe10PB2l1sVutWK0iBNAKSpgZjCbp7GB3osjj5OQ2XfgbOZFF9lenz9bti+B
e/lYLuuyyvNm6l175ubDszvt0SNN219oJCpa1AyTVrjh7WVbhxA1lFy3+X06GgH9w9RH
lz1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1682521948; x=1685113948;
h=content-transfer-encoding:cc:to:subject:message-id:date:from
:in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=1SqmzS4oCihpy1AhIXMewW3cRi/VAiGYV5Y27Q3d4s0=;
b=A6ZbjOMpMM4FfUYIQtfR4AutfyKvfLPfMObNKHJPJz3uDaYMfQ8IHeaGjw48qLPen0
Q1uNF/wmLvQXYjasV6cUiFZ9Oxn0YTHoT7AnxDZdpXn+/GAKRmBcEQI1DnaD48SONCow
bM0szqUOTazWiT77BINj8jgnQkd7ObowDyJUhPuIvorhmB5LVNbVdK2peTdANEA44DmG
jjG7rvcBErbRKo3UmJt2Mjiqi+sY3dzX6tXLXjohOSCGnL6tZ1DAgVilaH0KWe3L58ny
EUKW4OGeyPrCYeGZQn5MyWUwQ01nwxepran/8aMS0oNRvHvhCYg4b6Hb7aY9reFwGrbU
hBOw==
X-Gm-Message-State: AAQBX9e7sG4lOgQBLdk5c3L2VlwucV4cXOsdehkB/8cJ0Tmzb4fvRk0x
xQCtN4i7iCG1xgRR3TEOBYNvdpZcJsCH0hoyWqIY66FnQNyCV8CNp5PA0sFen3mCFTpzmN5TW+4
E1WCaIyhKJH0b2kSHHNq82wRPcALb
X-Received: by 2002:a17:90a:ac02:b0:247:1418:ad28 with SMTP id
o2-20020a17090aac0200b002471418ad28mr20611387pjq.22.1682521947817;
Wed, 26 Apr 2023 08:12:27 -0700 (PDT)
X-Google-Smtp-Source: AKy350ZeZqD6dPiZfcpJLeF6Vn40JXgCnoElSiuynrpk0CDQ4o6baLPPNPgCgqtpi5LxuDWnkD90cfM2b9g7BKNypR4=
X-Received: by 2002:a17:90a:ac02:b0:247:1418:ad28 with SMTP id
o2-20020a17090aac0200b002471418ad28mr20611363pjq.22.1682521947371; Wed, 26
Apr 2023 08:12:27 -0700 (PDT)
In-Reply-To: <202304260001.33Q01xYH024064@hedwig.cmf.nrl.navy.mil>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BN8NAM11FT087:EE_|SN6PR01MB4269:EE_
X-MS-Office365-Filtering-Correlation-Id: 238f4916-c953-4811-437b-08db4668a758
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Pa9P2VdBfko5Y7CNgSkKk9ZjiuEeO7eUMsgZrfShzz/Hs7jDpc7ouhk7GG6ktvDZcpk5iy8RaUVyuMkPFSAcPJftTrdoxAJDA7LrCosZPwdNzID0zncz4UYk4zrk5lbWk7y2rk+5yj0yeOdinQ3YUUOEbokJO+wlD4HK56634P4cQUXTsVM0T/p7t9O4DgYo0SGbOfyS9y1w+XfbAhwnS3HBrgq5GshdfQ6nyk4DY8C+5H+qO0W0EOwyqLrfpmE/wnUYS5HqiN3d7CShBBkMOpe093B17ifUXhd+zA4mk2/Rk2NSeDhlgGpEJzObpwZZzHtghASetIS/7eGVCpDlFK0aP7BH5w0mlRvpvnlNPU/9G0kDw6daeWxwMtzl+8MKtON65ardFTfZ6dDZc575BVNMbEqOh+i6U3e1Aiw3EnCxxj3+tFGCFFfAdl1PJt1+YRMAUz598nVTDrIrwVpBHbf+gWkHELfotu0sn/t8/L8mftQpd/ONi6EibI8QLBEZZCd+tCEh76HzZCBDRC24qVIA4ylVhY0KmMjvTHsiXaySCvYQzLe5OAWO01yJbOthgXPZlkwmIiEnSQtG2ROPKL7OdVh1nGygOIMR+a48IFk=
X-Forefront-Antispam-Report: CIP:134.84.196.205; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mta-p5.oit.umn.edu; PTR:mta-p5.oit.umn.edu; CAT:NONE;
SFS:(13230028)(4636009)(396003)(376002)(39860400002)(136003)(346002)(451199021)(75432002)(498600001)(42186006)(54906003)(5660300002)(7116003)(6862004)(70586007)(8676002)(2906002)(30864003)(86362001)(55446002)(68406010)(4326008)(786003)(316002)(7596003)(356005)(3480700007)(336012)(966005)(9686003)(53546011)(26005)(83380400001)(6666004);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Apr 2023 15:12:30.0085 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 238f4916-c953-4811-437b-08db4668a758
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT087.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR01MB4269
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MIME-Autoconverted: from quoted-printable to 8bit by mailman.mit.edu id
33QFDMKh3475659
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CAOLfK3X+3LSdOfA0vpDDiPi3RC7GUb73+jZTYje7sjDfQVu96g@mail.gmail.com>
X-Mailman-Original-References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
<CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
<CAJhaRZJP+Cz0RkSyOaWmjH5UHjye43k7B9G=dRechpN3Ad4qXg@mail.gmail.com>
<CAOLfK3VOZSNFhpkSKy5XsaA2mFUDVCGdjjZdna_O8M2RaAZPyw@mail.gmail.com>
<202304260001.33Q01xYH024064@hedwig.cmf.nrl.navy.mil>
 by: Matt Zagrabelny - Wed, 26 Apr 2023 15:12 UTC

Hi Ken, Greg, and BuzzSaw,

On Tue, Apr 25, 2023 at 7:02 PM Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
>
> >Making progress... but still need some pointers.
> >[...]
>
> Remember when I said setting up PKINIT is about as much fun as getting a
> punch in the face from John Cena? Well, you're about to discover what
> I mean by that.

Ha. Yup. Isn't that all IT though?

> First, there's about 500x ways for PKINIT to go wrong, and when it does
> go wrong 99% of the time you fall back to a password so it's hard to
> figure out exactly what failed. I work with a large PKINIT deployment
> that uses smartcards on the client side, so I feel I can speak with
> some authority here. But, some pointers to get you going.
>
> - You can use the KRB5_TRACE environment variable (on both the client
> and server) to figure out if PKINIT was even attempted. Do something
> like:
>
> env KRB5_TRACE=/dev/stdout kinit [... kinit arguments ...]

Great hint. Thank you!

KRB5_TRACE=/dev/stdout kinit -n -c /tmp/somecache
[1180611] 1682514855.418738: Getting initial credentials for
WELLKNOWN/ANONYMOUS@MYDOMAIN.COM
[1180611] 1682514855.418739: Error loading plugin module pkinit:
2/unable to load plugin
[/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so]:
/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so: cannot open
shared object file: No such file or directory

Whoops. Looks like I need:

sudo apt install krb5-pkinit

I installed that on both the client and KDC system.

> That should at least tell you if PKINIT is attempted and if it is
> being attempted why it failed (but it will produce a lot so it requires
> some experience to determine the useful bit you need).
>
> - If you are generating the KDC certificate yourself and you do all of
> the right magic (as specified in the MIT documentation) to put the
> realm in the certificate you should not need this:
>
> >> YOURREALM = {
> >> pkinit_kdc_hostname = yourkdc.fqdn
> >> }
>
> - Did you put the right stuff to trust the KDC certificate on the client?
> I did not see that. The PKINIT documentation does mention that you
> need a pkinit_anchors entry on the client (at a minimum, you may need
> others).

Again, great hint.

I read the docs from:

https://web.mit.edu/kerberos/www/krb5-latest/doc/admin/pkinit.html

It says:

---<cut>---
If any clients will authenticate using regular (as opposed to
anonymous) PKINIT, the KDC must also have filesystem access to the CA
certificate (cacert.pem), and the following configuration (with the
appropriate pathname):

pkinit_anchors = FILE:/var/lib/krb5kdc/cacert.pem
---<cut>---

Since I am currently only interested in anonymous auth, I thought I
could skip that directive. But alas:

KRB5_TRACE=/dev/stdout /usr/sbin/krb5kdc -n -P /var/run/krb5-kdc.pid
[362890] 1682516397.385786: Retrieving K/M@MYDOMAIN.COM from
FILE:/etc/krb5kdc/stash (vno 0, enctype 0) with result: 0/Success
[362890] 1682516397.385787: PKINIT server initializing realm MYDOMAIN.COM
[362890] 1682516397.385788: PKINIT server initialization failed for
realm MYDOMAIN.COM: 22/No pkinit_anchors supplied for realm
MYDOMAIN.COM
[362890] 1682516397.385791: Retrieving K/M@MYDOMAIN.COM from
FILE:/etc/krb5kdc/stash (vno 0, enctype 0) with result: 0/Success
krb5kdc: starting...

I added:

pkinit_anchors = FILE:/etc/krb5kdc/cacert.pem

KRB5_TRACE=/dev/stdout /usr/sbin/krb5kdc -n -P /var/run/krb5-kdc.pid
[363318] 1682516577.731993: Retrieving K/M@MYDOMAIN.COM from
FILE:/etc/krb5kdc/stash (vno 0, enctype 0) with result: 0/Success
[363318] 1682516577.731994: PKINIT server initializing realm MYDOMAIN.COM
[363318] 1682516577.731995: PKINIT loading CA certs and CRLs from FILE
[363318] 1682516577.731998: Retrieving K/M@MYDOMAIN.COM from
FILE:/etc/krb5kdc/stash (vno 0, enctype 0) with result: 0/Success
krb5kdc: starting...

So, that looks good.

I'm able to anonymous auth:

$ kinit -n -c /tmp/somecache

but I still get a kerberos principal password as opposed to a RADIUS one...

$ kinit -T /tmp/somecache
Password for bob@MYDOMAIN.COM:
[type in kerberos password]
$

Lots of debug stuff follows. I've read through it, but don't see
anything that jumps out as to why I'm not getting the OTP prompt:

kadmin.local: get_principal bob
Principal: bob@MYDOMAIN.COM
Expiration date: [never]
Last password change: Mon Dec 10 14:18:53 CST 2018
Password expiration date: [never]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Apr 25 10:13:24 CDT 2023 (root/admin@MYDOMAIN.COM)
Last successful authentication: Wed Apr 26 08:55:41 CDT 2023
Last failed authentication: Wed Apr 26 08:55:16 CDT 2023
Failed password attempts: 0
Number of keys: 2
Key: vno 1, aes256-cts-hmac-sha1-96
Key: vno 1, aes128-cts-hmac-sha1-96
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]

kadmin.local: get_strings bob
otp: [{type:MyRemoteTokenType ,username:bob}]

anonymous auth:

$ KRB5_TRACE=/dev/stdout kinit -n -c /tmp/somecache
[1185075] 1682519339.169989: Getting initial credentials for
WELLKNOWN/ANONYMOUS@MYDOMAIN.COM
[1185075] 1682519339.169991: Sending unauthenticated request
[1185075] 1682519339.169992: Sending request (194 bytes) to MYDOMAIN.COM
[1185075] 1682519339.169993: Resolving hostname auth-test.mydomain.com
[1185075] 1682519339.169994: Sending initial UDP request to dgram fc00::1:88
[1185075] 1682519339.169995: Received answer (323 bytes) from dgram fc00::1:88
[1185075] 1682519339.169996: Sending DNS URI query for _kerberos.MYDOMAIN.COM.
[1185075] 1682519339.169997: No URI records found
[1185075] 1682519339.169998: Sending DNS SRV query for
_kerberos-master._udp.MYDOMAIN.COM.
[1185075] 1682519339.169999: Sending DNS SRV query for
_kerberos-master._tcp.MYDOMAIN.COM.
[1185075] 1682519339.170000: No SRV records found
[1185075] 1682519339.170001: Response was not from primary KDC
[1185075] 1682519339.170002: Received error from KDC:
-1765328359/Additional pre-authentication required
[1185075] 1682519339.170005: Preauthenticating using KDC method data
[1185075] 1682519339.170006: Processing preauth types: PA-PK-AS-REQ
(16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147),
PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133)
[1185075] 1682519339.170007: Selected etype info: etype aes256-cts,
salt "MYDOMAIN.COMWELLKNOWNANONYMOUS", params ""
[1185075] 1682519339.170008: Received cookie: MIT
[1185075] 1682519339.170009: Preauth module pkinit (147) (info)
returned: 0/Success
[1185075] 1682519339.170010: PKINIT client received freshness token from KDC
[1185075] 1682519339.170011: Preauth module pkinit (150) (info)
returned: 0/Success
[1185075] 1682519339.170012: PKINIT loading CA certs and CRLs from
FILE /etc/krb5/cacert.pem
[1185075] 1682519339.170013: PKINIT client computed kdc-req-body
checksum 14/0CF6EE90E51246F7626115CA71D38D89C16D42AB
[1185075] 1682519339.170015: PKINIT client making DH request
[1185075] 1682519339.170016: Preauth module pkinit (16) (real)
returned: 0/Success
[1185075] 1682519339.170017: Produced preauth for next request:
PA-FX-COOKIE (133), PA-PK-AS-REQ (16)
[1185075] 1682519339.170018: Sending request (1680 bytes) to MYDOMAIN.COM
[1185075] 1682519339.170019: Resolving hostname auth-test.mydomain.com
[1185075] 1682519339.170020: Initiating TCP connection to stream fc00::1:88
[1185075] 1682519339.170021: Sending TCP request to stream fc00::1:88
[1185075] 1682519339.170022: Received answer (2955 bytes) from stream fc00::1:88
[1185075] 1682519339.170023: Terminating TCP connection to stream fc00::1:88
[1185075] 1682519339.170024: Sending DNS URI query for _kerberos.MYDOMAIN.COM.
[1185075] 1682519339.170025: No URI records found
[1185075] 1682519339.170026: Sending DNS SRV query for
_kerberos-master._udp.MYDOMAIN.COM.
[1185075] 1682519339.170027: Sending DNS SRV query for
_kerberos-master._tcp.MYDOMAIN.COM.
[1185075] 1682519339.170028: No SRV records found
[1185075] 1682519339.170029: Response was not from primary KDC
[1185075] 1682519339.170030: Processing preauth types: PA-PK-AS-REP
(17), PA-PKINIT-KX (147)
[1185075] 1682519339.170031: Preauth module pkinit (147) (info)
returned: 0/Success
[1185075] 1682519339.170032: PKINIT client verified DH reply
[1185075] 1682519339.170033: PKINIT client config accepts KDC dNSName
SAN auth-test.mydomain.com
[1185075] 1682519339.170034: PKINIT client found 1 SANs (1 princs, 0
UPNs, 0 DNS names) in certificate
/C=US/ST=State/L=Location/O=Organization/OU=Unit/CN=auth-test.mydomain.com
[1185075] 1682519339.170035: PKINIT client found id-pkinit-san in KDC
cert: krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
[1185075] 1682519339.170036: PKINIT client matched KDC principal
krbtgt/MYDOMAIN.COM@MYDOMAIN.COM against id-pkinit-san; no EKU check
required
[1185075] 1682519339.170037: PKINIT client used KDF 2B06010502030602
to compute reply key aes256-cts/71E2
[1185075] 1682519339.170038: Preauth module pkinit (17) (real)
returned: 0/Success
[1185075] 1682519339.170039: Produced preauth for next request: (empty)
[1185075] 1682519339.170040: AS key determined by preauth: aes256-cts/71E2
[1185075] 1682519339.170041: Decrypted AS reply; session key is: aes256-cts/0D0B
[1185075] 1682519339.170042: FAST negotiation: available
[1185075] 1682519339.170043: Resolving unique ccache of type MEMORY
[1185075] 1682519339.170044: Initializing MEMORY:IfWp4iF with default
princ WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
[1185075] 1682519339.170045: Storing config in MEMORY:IfWp4iF for
krbtgt/MYDOMAIN.COM@MYDOMAIN.COM: fast_avail: yes
[1185075] 1682519339.170046: Storing
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS ->
krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM\@MYDOMAIN.COM@X-CACHECONF:
in MEMORY:IfWp4iF
[1185075] 1682519339.170047: Storing config in MEMORY:IfWp4iF for
krbtgt/MYDOMAIN.COM@MYDOMAIN.COM: pa_type: 16
[1185075] 1682519339.170048: Storing
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS ->
krb5_ccache_conf_data/pa_type/krbtgt\/MYDOMAIN.COM\@MYDOMAIN.COM@X-CACHECONF:
in MEMORY:IfWp4iF
[1185075] 1682519339.170049: Storing config in MEMORY:IfWp4iF for :
start_realm: MYDOMAIN.COM
[1185075] 1682519339.170050: Storing
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS ->
krb5_ccache_conf_data/start_realm@X-CACHECONF: in MEMORY:IfWp4iF
[1185075] 1682519339.170051: Storing
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS ->
krbtgt/MYDOMAIN.COM@MYDOMAIN.COM in MEMORY:IfWp4iF
[1185075] 1682519339.170052: Moving ccache MEMORY:IfWp4iF to FILE:/tmp/somecache
[1185075] 1682519339.170053: Destroying ccache MEMORY:IfWp4iF


Click here to read the complete article
1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor