Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

Trying to establish voice contact ... please ____yell into keyboard.

devel / comp.protocols.kerberos / Re: help with OTP

SubjectAuthor
o Re: help with OTPKen Hornstein

1
Re: help with OTP

<mailman.70.1682522951.1964.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=353&group=comp.protocols.kerberos#353

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: kenh@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: help with OTP
Date: Wed, 26 Apr 2023 11:28:16 -0400
Organization: TNet Consulting
Lines: 39
Message-ID: <mailman.70.1682522951.1964.kerberos@mit.edu>
References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
<CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
<CAJhaRZJP+Cz0RkSyOaWmjH5UHjye43k7B9G=dRechpN3Ad4qXg@mail.gmail.com>
<CAOLfK3VOZSNFhpkSKy5XsaA2mFUDVCGdjjZdna_O8M2RaAZPyw@mail.gmail.com>
<202304260001.33Q01xYH024064@hedwig.cmf.nrl.navy.mil>
<7586f99f-1c5e-f8c9-e128-eb457508556b@mit.edu>
<202304261528.33QFSGrc012160@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="602"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: Matt Zagrabelny <mzagrabe@d.umn.edu>, kerberos <kerberos@mit.edu>
To: Greg Hudson <ghudson@mit.edu>
Authentication-Results: mit.edu; dmarc=pass (p=reject dis=none)
header.from=cmf.nrl.navy.mil
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.9.3.17
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1682522949; cv=pass;
b=IK3OJq7XUlQq/Azh8OutseRwe7Ag9ipHcTu6IycAfHJcIWEhPBRgWFlh7CI/CKyjpbV4EbwkH1znn8X0ssr6zvG8zTZsuCM/mLcMfE2HugxKKE2HqbLBtsZPk/ZbhivD2x8VxcYdVjhtqtIBbvYGEnOQ1oZ6TOqbM60tIrARoYJCh8Gs7CnrHRjaoiExgvOaqZ1IYmQupOOI3B7A1wdK+w10RcErta2uB1dj7fB7gmfkpubkrEIsBP0A5nYJAtXeGRmO9ZmrUYCiMrMflHIMeyskYf0bj5wQz8blQFQQStOP2R/tlFatRfpwKYswResIqFLJqSqKgutWuQsQQqwd5g==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1682522949;
c=relaxed/relaxed; bh=CCRUEXtYc+h06c5veLaquT1f3EcRT2xjeRrU4uV99P8=;
h=DKIM-Signature:DKIM-Signature:Message-ID:From:To:Subject:
MIME-Version:Date;
b=fIxQ4ZRddKtyQfz93z25R+urxpVESxQOPGlFrzX2T1JPx4s1UfgVkdhFM0ArCQp8UUk1h4SH5UiJsiXVmAaSwUsb9HuTAd4A/qjt0StzpI4Ft1jygS2vHTQMEbpmyrudgxUqO98uo7QJUJit2R325mD3YvkgSZ7qiZWOaV565weuidcOYmovu2SnBsh77xXmbvB43yzUJg/7/MzBoJ3M5YGoxFSk2tVp7tfOVYrm8AHJgVt1MYQasn4C8Vi8tQbjLdrrXmsDQoEPHQf+ri7dYaFdeeo69DAopCmtevfiqooj+fRxdvnVOmTb9UJaz5mNVIVQYTcZAJv7Spceb5NYdA==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=soS1yRkB;
dkim=pass (2048-bit key) header.d=nrl.navy.mil header.i=@nrl.navy.mil
header.b=PTnGgXr8
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=soS1yRkB;
dkim=pass (2048-bit key) header.d=nrl.navy.mil header.i=@nrl.navy.mil
header.b=PTnGgXr8
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=IX3hfktniAcAx7mih8Tw2HHaE0b2xPDg6KDIA6tabaflS6BiZswgLxg05dzC6yvGdWufEY1ajrqbubLSjuGlwiMiyTxHOmZ6nkyQc94YTfHMhktp0mgjZxiplM7cMk6GRVA97J82zhNYu4DFntV1cQ/BrbG1Me8ZfsgyIzIAwkHrYMs0+5AYs580Bo/C0GDkGxxp4I5RWC9hRJB/oZVKBS10qzUY3JbohwEcmpefiqgf/Uoatq9LqnkAPdGJ/mS0K1pjMP5rczTf79lIKiXvaUTUbWEcC4HICWcg8FB3qLUnQQjNNbwWZOiVYHS+hBnq3uYvQkwNlLg66ShDZbS35w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=CCRUEXtYc+h06c5veLaquT1f3EcRT2xjeRrU4uV99P8=;
b=LJOlf34ydE2hb5jvE4yZvg13uIyIuiOjK6lIc7Hezp0d+iFXTWjtMh96Og2zTEcSxDpGakhXE3fzxyOGvvtj2+YGpj8l5MX4Bl5gVjj1AMzLVA9Oz1WMk5FUCDm4erd8bqXAQb8ciWWxm27BEr+z90aATG9U8FyvaWVJwzVlyD1s7HnvpY88ZM4IesZPEax5lOhl3G9GhwGWtKMwlNMvp32a6zfgerPDc02w3MSLX1x8x60Y4ZF+zEfVKoh1ycLpE/bZ3+7GJMpFxScQSwBCxHHc31YFC+6Z+omoQWl7TYKXcCPo3ioH+cTZUp8ZA8RXP3aA7IrdoCG4LSZ0Yrwc+Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.61.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=CCRUEXtYc+h06c5veLaquT1f3EcRT2xjeRrU4uV99P8=;
b=soS1yRkBYXSB8HKYNDajFfjubi4Xpp/SKKZUG+hOIEK+dkMZ59DfkxUnQcPRP9RULQvuGQnlO0SkqyKHa/x8x5UD5Ofsn4kV5Pi8gpWP1rQiTYpwK0vazK6x2lo1Exugp/OZlXb5OBv7r4iknuBEmOcYKjXgWUvfsN/tLtkDF2s=
Authentication-Results: spf=pass (sender IP is 140.32.61.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.61.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.61.234; helo=mf.dren.mil;
pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version : content-type
: date; s=s2.dkim; bh=CCRUEXtYc+h06c5veLaquT1f3EcRT2xjeRrU4uV99P8=;
b=PTnGgXr8GKYkM3ivwYewoIsZL8luRU4IGSOxYhoAIMYsXwj/j+Ck+3qHA/kHmYn/06xb
L24YJFaMHUqHJrgqdoFFfufGD0hnqctvS1Db66PpXJmkooJAV1zza2ndApMt5aPWZUXf
JK5HwcXpBXJSQWsnmVmLroypgZYyNybF5QK7f6da/Ni15n54g5vu0BNBKXxVirjouEVW
SoZcqdO2My+uUBuQmJyTEwqYuFGWr/1LBUASQ+WIF5WoJ6SDn3lDn3napdY5NriUpw9y
1t0HE0u0RO0hgn3SkcHeU+11yhJfnhdTNPuNxML5uHlGAinBqMQjkbrg425IVg/1Pfql Bg==
In-Reply-To: <7586f99f-1c5e-f8c9-e128-eb457508556b@mit.edu>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned:
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BL02EPF000145BB:EE_|BN6PR0101MB3107:EE_
X-MS-Office365-Filtering-Correlation-Id: 0eb8f7db-451e-49d3-ea86-08db466adf0a
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 4Mk2l9KjZYgMZXutLxmR7yoFnaH6lmGq6PmGOVNlZaBSi2PtI1jf6yRKBOTcuGOtE8H2W5xDeg7oKZ+xZ/qa1tU+n3y1doAXil5vVuBm5uKziCPBm7RKxgrgzXXEQSWfnTWF33dwLzusphCLLexq7dA1gbI5lqiyzdM+f6uU4Cd1W3mFPUeSbQ6XZfnL7GDk8siSuXYV36JOBuaOaB7nNDPO3VJ0msBwLULHWTUmPY32nGM0x7s/azvhYWbCPWdD7983iXopFu6lDIuV9UIrRyhjjrlwS7lGbuYSrbVBcPYLW7ORh3SXbO66E/qRLfDN0q41yK9IzqB7bDUBq/7uwQEeaXvfI6I3xVskNwhYTAYHnk/pWbrtLn8EH//EPMczBDUjXr+QuKum4HaRyNXRpA+/I4rRoHAySNM1aUiKh2zU4c9bvroVPepProKdGAgI34aZU9pXov3jcuI7re/k/wtIxuRxGMbMeyd4ZmpsohhRBJOb5ijj2jjAnM16CFqXcG9c4jTQCnBPdg6J03llfKNOucUkjREpz1WEXLjuhSLOKvCwbnOuBEfgx8psZ3OIoCFvL1JOWfU0pioembAC1zYvWCnQLf1dVmB6hsyfGWA=
X-Forefront-Antispam-Report: CIP:140.32.61.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfw.dren.mil; CAT:NONE;
SFS:(13230028)(4636009)(346002)(136003)(376002)(39860400002)(396003)(451199021)(3480700007)(83380400001)(336012)(426003)(66899021)(956004)(1076003)(26005)(86362001)(316002)(4326008)(7636003)(68406010)(70586007)(2906002)(786003)(356005)(498600001)(54906003)(5660300002)(8676002)(6862004)(7116003);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Apr 2023 15:28:22.3069 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 0eb8f7db-451e-49d3-ea86-08db466adf0a
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BL02EPF000145BB.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR0101MB3107
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202304261528.33QFSGrc012160@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
<CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
<CAJhaRZJP+Cz0RkSyOaWmjH5UHjye43k7B9G=dRechpN3Ad4qXg@mail.gmail.com>
<CAOLfK3VOZSNFhpkSKy5XsaA2mFUDVCGdjjZdna_O8M2RaAZPyw@mail.gmail.com>
<202304260001.33Q01xYH024064@hedwig.cmf.nrl.navy.mil>
<7586f99f-1c5e-f8c9-e128-eb457508556b@mit.edu>
 by: Ken Hornstein - Wed, 26 Apr 2023 15:28 UTC

>On 4/25/23 20:01, Ken Hornstein via Kerberos wrote:
>> First, there's about 500x ways for PKINIT to go wrong, and when it does
>> go wrong 99% of the time you fall back to a password so it's hard to
>> figure out exactly what failed.
>
>Assuming the kadmin client and KDC are running 1.12 or later, you can
>create WELLKNOWN/ANONYMOUS with the -nokey option (instead of -randkey)
>to disable the password fallback. Or you can "kadmin.local purgekeys
>-all WELLKNOWN/ANONYMOUS" to remove the principal's long-term keys once
>it already exists. If this is done you should get PKINIT error messages
>from kinit -n if the KDC offered PKINIT and the client couldn't make it
>work, like this:
>[...]

Well, dang, that's one for the toolbox! I was able to confirm that
works just fine (but note I already had an existing PKINIT infrastructure
to leverage). I will note that the existing documentation implies you
could authenticate to WELLKNOWN/ANONYMOUS using your password, but
maybe that isn't true? I'm specifically referring to the documentation
for the '-n' option for kinit, the "second form" of anonymous tickets.
There is a note that this isn't supported, but it mentions MIT Kerberos
1.8 so one could believe that note is out of date.

This is kind of the giant mystery surrounding FAST. If you're not
familiar with the gory details of the FAST protocol you're kind of left
stumbling around to figure out what exactly you need to do. I realize
this is probably because it's hard to write documentation for beginners
(certainly I am guilty of this also); I'm only making this as a general
observation.

As a side note, it does occur to me that perhaps the simplest way to
integrate third-party OTP solutions into MIT Kerberos is to simply write
a bare-bones RADIUS server that does all of the magic you need to do
and point the existing OTP implementation at it; the RADIUS protocol is
relatively straightforward. It looks like writing your own OTP plugin
is in practice very difficult due to the dependency on calling the ASN.1
routines to encode and decode the OTP preauth data.

--Ken

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor