Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

I do not find in orthodox Christianity one redeeming feature. -- Thomas Jefferson

devel / comp.protocols.kerberos / Re: help with OTP

SubjectAuthor
o Re: help with OTPMatt Zagrabelny

1
Re: help with OTP

<mailman.73.1682527318.1964.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=356&group=comp.protocols.kerberos#356

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: mzagrabe@d.umn.edu (Matt Zagrabelny)
Newsgroups: comp.protocols.kerberos
Subject: Re: help with OTP
Date: Wed, 26 Apr 2023 11:41:39 -0500
Organization: TNet Consulting
Lines: 52
Message-ID: <mailman.73.1682527318.1964.kerberos@mit.edu>
References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
<CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
<CAJhaRZJP+Cz0RkSyOaWmjH5UHjye43k7B9G=dRechpN3Ad4qXg@mail.gmail.com>
<CAOLfK3VOZSNFhpkSKy5XsaA2mFUDVCGdjjZdna_O8M2RaAZPyw@mail.gmail.com>
<202304260001.33Q01xYH024064@hedwig.cmf.nrl.navy.mil>
<CAOLfK3X+3LSdOfA0vpDDiPi3RC7GUb73+jZTYje7sjDfQVu96g@mail.gmail.com>
<202304261629.33QGTlJ8015728@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XRaYoT+NgbjDCbEaKow36QpTjrFrjGO-jGW96=7z9u_A@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="11999"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos <kerberos@mit.edu>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Authentication-Results: mit.edu;
dmarc=pass (p=reject dis=none) header.from=d.umn.edu
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.16
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1682527317; cv=pass;
b=cOT+FlCpi9fI0Kn0s3ZJf/HQlXuQY7Uw5nYOGatM7JmN3QR7dZDS4RPD6zgw0LRr/rVi4SEkC0prK1Z9JC9gSXJ2OjPt+JWhpW2OINcrEx++rXrhALY+bq4Gj5fp1ZGHq/MjJ438QQI03QAeocIKIEOLljWpeMI5iAe3l1l0RTvzTH7lqCSw8zbp1rXU3muA2RTu6ZdJ7TD+AtaflXO7VgZjmZ0ilPs9Mx0JwLjzrwWCa/iJh4F1cq7Ck93Tx/7Ioa1LT+xW/FNc3CFxnhcfvLhgliwY9KucnEYpsqurbGF/9j7dFLWfZJ+/H27GBhc4LnXxxypoj0hnLXDRQ5+UFw==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1682527317;
c=relaxed/relaxed; bh=vKZSJBAkUZP3g9ULX8V4S+I4Tx55Xrl1HXEYPGtAppg=;
h=DKIM-Signature:DKIM-Signature:MIME-Version:From:Date:Message-ID:
Subject:To;
b=DvAYnNxKD5bEeVtvdMRONWLGn4wHGkIIX9+PW0BGBbW9uJm04ACSTIri3dWD8sWfoVi2U14e43DH15wodF1jFDRwBZxouUzwkdC5dbvVkkz4FFUHns9THa/zowPjOm/tpi5VX3xc/TFfhODMS0yTfvzlED2+n5k8k1iLuJLvLo0zmit6mlPS+XB1ZEiE9P7UBJjx7whHFhzlPAof7BgXo+kX62EXuQ48DWogRYqqliH6lQPSm7RDmVqElV4ltFYeJpdUUD7nV8aSFTAp96Q6ECmI6tvuBtIA6f3Mc+AqT4jQU/5hUMf92U2wg2xFb4z8VwFU4W1cgAkukLeiRKdX4w==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=IaQhUg6r;
dkim=pass (2048-bit key) header.d=d.umn.edu header.i=@d.umn.edu
header.b=V3xWDwCp
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=IaQhUg6r;
dkim=pass (2048-bit key) header.d=d.umn.edu header.i=@d.umn.edu
header.b=V3xWDwCp
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=V+PQxQgF56l+rTIOt07jOIhiHI4OA977CFHTSGj60b5/xTLTuWoyYOVWQ4+LND7ECRCzSa82G/QqmLX5bMoYcWeGSsHKOd9e79uMBcc68Qx74y85bNQ8En9sTtjP0C1nidIk9Bi2Vfw6sTcJcO2Fcy4ZzkedLDpwXyl4rttIfEwLUS9a7IJ7/j+e9VMQCUHLaI498u0g2+OVz7nJZojjk++NR6aZk1td/kfomdVTs/5PDgTnXIoyclLdHwEQtwWQrZlehfXUD+WCRKmCxDp8OqoLVqrwSmPPa6Wf0H4oyNMluDo+k025MHJ04nVXD1bReMo2Jr5V+ESg3d+SUHVMzA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=vKZSJBAkUZP3g9ULX8V4S+I4Tx55Xrl1HXEYPGtAppg=;
b=BKLI5dZebtknpQkB3Z7yypabQsIornjSIusfvPGAOk/a+9I7kOhPV2/ZR6GUcVmrW0lz/ySuehiccGaeC5htnlrP+9Qpml02DWAlm27tL9rl+IhsYVMpPHmTKj5Yeyu2IDUWL2bxit4pSIHFijYf1IFNtRiagMUxQTVrbMB+gLtyRF5zsW0mgOTu/phGBTeD78kdktytnupIkYWX23jhXtD/fpm+L4j15qfEUuqXOzzb91w2J4dnjO4ijeKneSvVsRoVXc422lwpALdSET2PZ34tWsGDCbmlxfAbWX8jL2hkFZYFTPaetbidN56Q82GWCaH2XC+MQp3yTsSHqWmrFQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
134.84.196.208) smtp.rcpttodomain=mit.edu smtp.mailfrom=d.umn.edu; dmarc=pass
(p=reject sp=reject pct=100) action=none header.from=d.umn.edu; dkim=pass
(signature was verified) header.d=d.umn.edu; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=vKZSJBAkUZP3g9ULX8V4S+I4Tx55Xrl1HXEYPGtAppg=;
b=IaQhUg6rigL5l1RaWJx+2ANQ7LmuCDAW//yCoPFk1uBNcFZFdMM9w753T10qeU757qrdNzAV4lrBCNzqSb1TE7IJqYzLT745m+eBErMw3Oxf8mISWxolktMRW9RxwfB+XekdKPnm4cCWuWxJF710Rod1IDDOm9gPFfAcKJQmXGk=
Authentication-Results: spf=pass (sender IP is 134.84.196.208)
smtp.mailfrom=d.umn.edu; dkim=pass (signature was verified)
header.d=d.umn.edu;dmarc=pass action=none header.from=d.umn.edu;
Received-SPF: Pass (protection.outlook.com: domain of d.umn.edu designates
134.84.196.208 as permitted sender) receiver=protection.outlook.com;
client-ip=134.84.196.208; helo=mta-p8.oit.umn.edu; pr=C
X-Virus-Scanned: amavisd-new at umn.edu
DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p8.oit.umn.edu 4Q64QT3YB4z9wHB9
DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p8.oit.umn.edu 4Q64QT3YB4z9wHB9
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=d.umn.edu; s=google; t=1682527312; x=1685119312;
h=content-transfer-encoding:cc:to:subject:message-id:date:from
:in-reply-to:references:mime-version:from:to:cc:subject:date
:message-id:reply-to;
bh=vKZSJBAkUZP3g9ULX8V4S+I4Tx55Xrl1HXEYPGtAppg=;
b=V3xWDwCpn90sneIoZKKwVMgbGFx3PuCA3P4PX4PEqnOUgECEfrtVXsGzEIaVgPTGQj
vow7paEk0hi2k0qWHt3H4p5wcr4dyPjCdXkDpsXONGj5Q1AnRP4WSl21SIO4PnsYbGKZ
7VWyWW27HsFcs32pV5goWwa/M6D5bpWwIF8EV4sMtif0FTAHDzgSLER51O/34X6IS6jv
lyPRyylde/5xfUYu3EhkqTvtwCNT7y2hAhW9pfQV98Ewir4TAnU3Dkwi5kxtGSsj8BfM
rO+QqNPJ2q+IKWmwPPezDQRp/7HaPlfXkC0C1XAfy34SNE74qkmQtztUVk9qkro76CX+
QA+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1682527312; x=1685119312;
h=content-transfer-encoding:cc:to:subject:message-id:date:from
:in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=vKZSJBAkUZP3g9ULX8V4S+I4Tx55Xrl1HXEYPGtAppg=;
b=CU2CCcIfPSEsuykp1N5OVcQPAkdmBGbuVcrpbVFeIsQGf6y9uH9Zc36sonr0YhQ+8l
p0AGp1hwwjHoxAIk0abAVoor6xNqIvFJ3Mv/NTCfw4vjLy84OioKjIy62gU3yyGHOc8a
iSLCZ61vkpQtig5wWM9XNSnpsyyIjoUpYxsDmbo9GSBUmNgC9efJSxlNQTqBdJxK+pMx
tRVyk6ACaqzVXcm9EIAyevngszxqXhY6rNhzaT+MLvefU3g3OXG/qCqt3gtTGiKgr1zQ
VfleEV1w6PzqTxr4Jf1IKYX5HV/ECFu70P+ONAX+pktFAhUNxPQyeJt7MrIPS9o4wYrq
11Ug==
X-Gm-Message-State: AC+VfDysRV2dHrwKdJeO8YV2Kzm2E1HCveMPs0jeWu7hrh8UcIA/RN3O
GfnmXP3L9TgYlAqj+I8yocJGAkkmoA3A0hVuqKLcNfeNsnMVRaJKqt1FrzKSnPkYDpyOppNBWRD
wAzMW/fox34A/fLs4Xt2jeX3mRKMfLJ21xJTXXME=
X-Received: by 2002:a17:90b:4f41:b0:24b:39ee:672d with SMTP id
pj1-20020a17090b4f4100b0024b39ee672dmr3695386pjb.3.1682527312097;
Wed, 26 Apr 2023 09:41:52 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ4B03CMj6w3d5Mi+AtHKWz9ZC2FD6ixze4q14PLWE1WZ2xTDvupvdz3lOaF4pMNNCAjMdnFEoWlqbQ4aKThH08=
X-Received: by 2002:a17:90b:4f41:b0:24b:39ee:672d with SMTP id
pj1-20020a17090b4f4100b0024b39ee672dmr3695371pjb.3.1682527311826; Wed, 26 Apr
2023 09:41:51 -0700 (PDT)
In-Reply-To: <202304261629.33QGTlJ8015728@hedwig.cmf.nrl.navy.mil>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DM6NAM11FT099:EE_|MWHPR01MB3293:EE_
X-MS-Office365-Filtering-Correlation-Id: 3056c3cf-21f0-4415-09fe-08db46752470
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Cyzjk6buaKbo+3pny62z6C3A61DGMNrDr7WVOzPlN5+55vpB+ufVVYPGUYfcCWE9Hn8eT32OxPB8lHr0MQvlG0ZAmv1886APKP/dcW+8gox85Fp7+9TL6sYMkr7crSAFZ8eUvE8Ay7S2fUly0U+DWT0VaKTAeTVmZhqTEetcdcknzCxWYo3BdqW8QocCedpfrnsfao5S2RzLroX0EwIfEbAS7H22Nw697bp/bExBaQlKoJTScBtDKlulSKL4x23LxfEv8Jbl193wDKw8CSNxsCo1vA6s0mpzrdcUeP5NqdSThcvM46e1dLRR8ynoLbpGOWa/vLf7PWhIujnRjshRvtB/HfasXcrXvlVe78uZvt7WyA6S1c9TdgBLSYLnGw3tNyGhr4yOaaFcAK44U6kis4Q8L5HoMD59jwAfhNM8NL8T4eMdyPbZLFXkJ7yqTefoCidgm0rARnndRbQq2kRUSsASerBMiA6+Yy9hV9arafuDO/a0O3bKnFINrKUQ3dSMq1lgeErN262y4TwiP2uteLWPOO6JT6yrp6FcKaV8G+C3OEA3wTL5dgOTxcT91HDLKRiw2r5F5xLYbDJxDGp7ZJeE1z1iblMluYgib/phOuE=
X-Forefront-Antispam-Report: CIP:134.84.196.208; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mta-p8.oit.umn.edu; PTR:mta-p8.oit.umn.edu; CAT:NONE;
SFS:(13230028)(4636009)(39860400002)(346002)(136003)(376002)(396003)(451199021)(2906002)(86362001)(55446002)(75432002)(53546011)(6666004)(83380400001)(336012)(26005)(9686003)(3480700007)(4326008)(42186006)(70586007)(68406010)(498600001)(316002)(786003)(5660300002)(356005)(7596003)(8676002)(7116003)(6862004);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Apr 2023 16:41:53.9184 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3056c3cf-21f0-4415-09fe-08db46752470
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT099.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR01MB3293
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MIME-Autoconverted: from quoted-printable to 8bit by mailman.mit.edu id
33QGfvrx3490750
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CAOLfK3XRaYoT+NgbjDCbEaKow36QpTjrFrjGO-jGW96=7z9u_A@mail.gmail.com>
X-Mailman-Original-References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
<CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
<CAJhaRZJP+Cz0RkSyOaWmjH5UHjye43k7B9G=dRechpN3Ad4qXg@mail.gmail.com>
<CAOLfK3VOZSNFhpkSKy5XsaA2mFUDVCGdjjZdna_O8M2RaAZPyw@mail.gmail.com>
<202304260001.33Q01xYH024064@hedwig.cmf.nrl.navy.mil>
<CAOLfK3X+3LSdOfA0vpDDiPi3RC7GUb73+jZTYje7sjDfQVu96g@mail.gmail.com>
<202304261629.33QGTlJ8015728@hedwig.cmf.nrl.navy.mil>
 by: Matt Zagrabelny - Wed, 26 Apr 2023 16:41 UTC

On Wed, Apr 26, 2023 at 11:29 AM Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
>
> >Since I am currently only interested in anonymous auth, I thought I
> >could skip that directive. But alas:
>
> Right, so, here's where my limited knowledge of FAST comes into play.
>
> As I understand it, you need to be able to use a trusted key to
> authenticate with the KDC to to create the FAST channel. Your options
> are using an already-existing key (such as a host key) or anonymous
> PKINIT. But the "anonymous" part of anonymous PKINIT only refers to the
> CLIENT being anonymous; you still need the client to be able to verify
> the KDC's certificate (otherwise anyone could pretend to be your KDC and
> you could end up sending your OTP output to them, which would be bad).

Agreed.

The docs that I referenced still made it seem that the anchor config
was somewhat optional for anonymous auth.

...but maybe I wasn't reading those lines with the proper mindset or context.

> That's the piece you were missing. Once you have the FAST channel set
> up then you can use that to securely send the OTP response.
>
> I see in a later message you got it working; great! Just FYI in case
> anyone else asks, the key line in that trace output was this:
>
> [1185088] 1682519355.427424: Processing preauth types: PA-PK-AS-REQ
> (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147),
> PA-ENCRYPTED-CHALLENGE (138), PA_AS_FRESHNESS (150), PA-FX-COOKIE
> (133), PA-FX-ERROR (137)
>
> You're missing PA-OTP-REQUEST, which was because (as you discovered)
> that plugin wasn't installed. But that requires a lot of Kerberos
> knowledge to get to that point :-/

Yup!

> It does occur to me a useful addition to kinit might be a flag that
> means "authenticate using anonymous PKINIT and then use those
> credentials as a FAST armour credential cache" so you wouldn't have
> to muck around with juggling credential caches.

That would be great and would eliminate an impending shell alias for me:

alias kinit-otp='kinit -n -c /tmp/somecache; kinit -T /tmp/somecache'

Thanks for all the help, Ken (and BuzzSaw and Greg). It is very appreciated!

-m

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor