Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

In every non-trivial program there is at least one bug.

devel / comp.protocols.kerberos / Re: help with OTP

SubjectAuthor
o Re: help with OTPKen Hornstein

1
Re: help with OTP

<mailman.72.1682526632.1964.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=355&group=comp.protocols.kerberos#355

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: kenh@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: help with OTP
Date: Wed, 26 Apr 2023 12:29:47 -0400
Organization: TNet Consulting
Lines: 33
Message-ID: <mailman.72.1682526632.1964.kerberos@mit.edu>
References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
<CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
<CAJhaRZJP+Cz0RkSyOaWmjH5UHjye43k7B9G=dRechpN3Ad4qXg@mail.gmail.com>
<CAOLfK3VOZSNFhpkSKy5XsaA2mFUDVCGdjjZdna_O8M2RaAZPyw@mail.gmail.com>
<202304260001.33Q01xYH024064@hedwig.cmf.nrl.navy.mil>
<CAOLfK3X+3LSdOfA0vpDDiPi3RC7GUb73+jZTYje7sjDfQVu96g@mail.gmail.com>
<202304261629.33QGTlJ8015728@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="6124"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos <kerberos@mit.edu>
To: Matt Zagrabelny <mzagrabe@d.umn.edu>
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=AoCiIRGACtgurz34Sl9fGCJm//MG1MZ/pcOqlfTOdursyjRf6nKJMt3KCO4mJiQ8nRu5mKZW1bAgl+Asqs0s+3ALBSLv0pwoRjDw2pE0kmA09EKPKfPOP1H1hqq5sm/F1OO8IH2TVSl8Uuye0DZjliCetyvk0c/w4OTWWsO2VeF/i/haxyG6skow3wN3ovwcuMbP/KpZW97aOWFcc/OZ0isEiMaVIXLYtlf8qnE4yhnctmWJpk9VnED0kQOtZZFcJ4zXY+IXlWPNy+MpR6CDhroGTmfHFzT8obMHPu3UUh4cy/6VsAcqddo6GDWMdYjmXnjBfQ/GBudWUy8e6wj8fg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=MXTrdEE4wbB1xKMQgQUu3iF8g/vEnYYQPB7RZWl/BmA=;
b=ZRvMBOHV3Psge1lWMsH7XfVDR448lCJeiiVcxzkhMOXvUN3qhAWOwXuAjiE7wrVhAGMPKDUzv5zXFvXLlLADMHz0l89TMuenhhMrs3ocYyr+02ZfsxpwE1H47xWx1oXTq//MQyeppucLDqTNjmqvCIAw73lyjAGDT4O9RqjTTlMWCe0v0qfK9wStDLhHngAwWDEeBu2ALltOqjFgEt24wYtC3s3JpfYfdy/KemHRq8wO7Gp5SeS1gH/DUecmfJ2PdrKcqu80iOf5N1E9v2zqRxTDOzz5ZZ9EHKj5ZFoYcsWnou1JQaHtXwsTMv8JjHS842s+mpuAmv9F8+agm0Nz4w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.59.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=MXTrdEE4wbB1xKMQgQUu3iF8g/vEnYYQPB7RZWl/BmA=;
b=uztCZdTsTX2f5BLTYNCFRBHJVEL7aJPqIuyGJmY4Ol0UhzYSZthH/1CRvqMrBWY/j2HYRZVA5AFIxDD9ff4Ht6w/ewEu8HsRHpN+2GLdyAYxP6MRvYGywee9Ao1evMnfqO1VkFlS0D/63Ublfh8z/p4nEakrSh/kKVfYfrGmIIs=
Authentication-Results: spf=pass (sender IP is 140.32.59.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.59.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.59.234; helo=mf.dren.mil;
pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version : content-type
: date; s=s2.dkim; bh=MXTrdEE4wbB1xKMQgQUu3iF8g/vEnYYQPB7RZWl/BmA=;
b=pB2V8DRhwd6/JsxWrTEgiRJZBrQzORQ7HlWoVmCASn7ySwbUZnQuf+ZsuzOLdzdKq1/L
He0wJOqJ76VNYlrK+WMwExxTOSPyHK6I1Kja3g/vQzoBTK5Nd/nOZcZ3jrQJyofnTC5D
iqV37Vmsvc32skpxRnCs68LXBwDQIv+NMfiKkw69TPdKfa4YrrYCSS94XCyIIGx41aGq
6TYYvQ6NnYDg8rCqelIsMagkSYzx+groTiDt2RWOYBiOWCfZUgQp0kLT/x9wC7AclP1i
U2BxDNVKHZK9U24zmXVpVoKBRLdcfmdqHjV1cRnZtJFgT1/yAwXJI+o8FMrBBzna2mLB Pw==
In-Reply-To: <CAOLfK3X+3LSdOfA0vpDDiPi3RC7GUb73+jZTYje7sjDfQVu96g@mail.gmail.com>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned:
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CO1NAM11FT029:EE_|BYAPR01MB3639:EE_
X-MS-Office365-Filtering-Correlation-Id: f6a018ff-c933-4bdc-7c0b-08db4673768f
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: mz4Iv8SK7malGxR7p0UYPYwvtqhCqPkQrYR2QEhoxBeGbdJAbfPnVvFI5NZRJv+2P7wyJLFbHcwehnCepri2mwTVojg/BQBvEIVN/ZG6yoKJgAQYn7+10a+BrW5PBc63Gn9Hcm6nvxHhWyRZvA1ydw4mLCLCAzyeHndC4y07s/24+tC6pyNv0QJwuSqPtzKm7FxDOcdbHE0xLJRY49NiFwdhEMMX7lYTegcWg4r8f9GItf09a36+6VWTOEkE6oYeX1yLVPzTBhbrgy2HxFeoIb12hJ/LOvUm/ozcYgzqo+P9qUOZ8aT2dKfDhJFie9AZCj8AnovQG1WxZgO3VPZgzs5aW7NbB2DyvlkpOf2kicRLoEbmOSNxRs+gGWZsGdkdXzUpgkPSbv9SME0GJr8RV4lnK36YiISu6g2P4JrBAi5O0cZ59sVH40pm4vat76stT44hdHwdOiNui/DYK0uoE7Gc3vcMzwNvN/V+fmH9RINj2DPd8GLhu6/lD0S81UlhoU98Y1nUiSAjwto6ZmS8F3wJomkRqneN0oaOJ9SqC6Z+kjaaJ2HcNl7XcR+zpVXBG3B6IGGkEGrVd7IXMASQD8QUw42tQyTl1Tn9FsoOR3I=
X-Forefront-Antispam-Report: CIP:140.32.59.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfe.dren.mil; CAT:NONE;
SFS:(13230028)(4636009)(136003)(396003)(346002)(376002)(39860400002)(451199021)(498600001)(83380400001)(426003)(26005)(336012)(956004)(1076003)(356005)(7636003)(86362001)(3480700007)(316002)(68406010)(70586007)(4326008)(786003)(7116003)(2906002)(8676002)(6862004)(5660300002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Apr 2023 16:29:52.5168 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f6a018ff-c933-4bdc-7c0b-08db4673768f
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT029.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR01MB3639
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202304261629.33QGTlJ8015728@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
<CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
<CAJhaRZJP+Cz0RkSyOaWmjH5UHjye43k7B9G=dRechpN3Ad4qXg@mail.gmail.com>
<CAOLfK3VOZSNFhpkSKy5XsaA2mFUDVCGdjjZdna_O8M2RaAZPyw@mail.gmail.com>
<202304260001.33Q01xYH024064@hedwig.cmf.nrl.navy.mil>
<CAOLfK3X+3LSdOfA0vpDDiPi3RC7GUb73+jZTYje7sjDfQVu96g@mail.gmail.com>
 by: Ken Hornstein - Wed, 26 Apr 2023 16:29 UTC

>Since I am currently only interested in anonymous auth, I thought I
>could skip that directive. But alas:

Right, so, here's where my limited knowledge of FAST comes into play.

As I understand it, you need to be able to use a trusted key to
authenticate with the KDC to to create the FAST channel. Your options
are using an already-existing key (such as a host key) or anonymous
PKINIT. But the "anonymous" part of anonymous PKINIT only refers to the
CLIENT being anonymous; you still need the client to be able to verify
the KDC's certificate (otherwise anyone could pretend to be your KDC and
you could end up sending your OTP output to them, which would be bad).
That's the piece you were missing. Once you have the FAST channel set
up then you can use that to securely send the OTP response.

I see in a later message you got it working; great! Just FYI in case
anyone else asks, the key line in that trace output was this:

[1185088] 1682519355.427424: Processing preauth types: PA-PK-AS-REQ
(16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147),
PA-ENCRYPTED-CHALLENGE (138), PA_AS_FRESHNESS (150), PA-FX-COOKIE
(133), PA-FX-ERROR (137)

You're missing PA-OTP-REQUEST, which was because (as you discovered)
that plugin wasn't installed. But that requires a lot of Kerberos
knowledge to get to that point :-/

It does occur to me a useful addition to kinit might be a flag that
means "authenticate using anonymous PKINIT and then use those
credentials as a FAST armour credential cache" so you wouldn't have
to muck around with juggling credential caches.

--Ken

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor