Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

The less time planning, the more time programming.

devel / comp.protocols.kerberos / Re: help with OTP

SubjectAuthor
o Re: help with OTPRuss Allbery

1
Re: help with OTP

<mailman.75.1682535469.1964.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=358&group=comp.protocols.kerberos#358

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: eagle@eyrie.org (Russ Allbery)
Newsgroups: comp.protocols.kerberos
Subject: Re: help with OTP
Date: Wed, 26 Apr 2023 11:57:31 -0700
Organization: The Eyrie
Lines: 29
Message-ID: <mailman.75.1682535469.1964.kerberos@mit.edu>
References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
<CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
<CAJhaRZJP+Cz0RkSyOaWmjH5UHjye43k7B9G=dRechpN3Ad4qXg@mail.gmail.com>
<CAOLfK3VOZSNFhpkSKy5XsaA2mFUDVCGdjjZdna_O8M2RaAZPyw@mail.gmail.com>
<202304260001.33Q01xYH024064@hedwig.cmf.nrl.navy.mil>
<7586f99f-1c5e-f8c9-e128-eb457508556b@mit.edu>
<202304261528.33QFSGrc012160@hedwig.cmf.nrl.navy.mil>
<871qk61nfo.fsf@hope.eyrie.org>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="21424"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
Cc: Greg Hudson <ghudson@mit.edu>, Ken Hornstein <kenh@cmf.nrl.navy.mil>
To: Ken Hornstein via Kerberos <kerberos@mit.edu>
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=ULB2UswDLeGAmLkQ77lALs8yKgB/dA3c53YnXoPO1t41/UCSzRH2QKYLkbLPue8LM19g2ih1TSZo5+nO/PczjbZ+UU3Y5xkFWHh10zvRsZxFE9eBivkz02Cm0IWUg6TtdjpQ5Cy7Rd1+c0G031wMh6/M1Pwl5j4tWMo9EVa0MxwkU0pDCsOmfgswUdrLnxoUZPIhaX1wYXx4/1hiQQDqazLrRFzpYO+4QhpHswm3VF7esMB74Ts7DKKvWNqXRtmJTJdCMMKqmnAvMfDHRRLCq1T6KyHvpMeT8Cz+uoXWDNHEiocPvDizKWS/J7ZQ7MoCO2kMuPHQGOQH9VDatULjXg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=PAGBJULMJT7YIUwY5/A/WFXwddvkFCI9dqfmJYT3rJ0=;
b=b6m3AxoGiyPbDRq+Hw/85uLTe9bBmRW81WQ4PDy4OZYr/M1K4KP8gI+Wn3Vu5437CtwR+v4hyx64YnSmh5Q2Ecapn8ORjwOB5SWZdSC3E1DcVG9siOPigHA83Jzqk6wOUx22sintVTKSN1Rd3ggqx5uXuv5ne9pCgJ2bhdsfm77sI9usMNY46d7NZ+Rq+O815duyxUOwi0KaQYSLvczyX8WX1BByeQftLObEfjaO/s7AXipJM9LFcOgSR05c72eWnq7EAoryELD8vLQ36iyqV8BrYtLOiPN7wDsBNVeDuchQuV8opX2BKUI0blpQloxSWtEMW7zPXeOcyk1wYHF44w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
166.84.7.159) smtp.rcpttodomain=mit.edu smtp.mailfrom=eyrie.org;
dmarc=bestguesspass action=none header.from=eyrie.org; dkim=none (message not
signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=PAGBJULMJT7YIUwY5/A/WFXwddvkFCI9dqfmJYT3rJ0=;
b=XoW5ze3pW9KGdDQfxu/kVKRrJ0QeUSNYQ+7cVKo2oFh/RDcgdqwPoFnaUSNzDLLekwcnEQCqHUWzdI4E6E4b8mkhQBtO21G+iV1MgmJEUym6bwY7fF6SRDiidfjfqM5Fev0cBbBN4CltkfF1QW7fQRUdj9d+Fb3Px/KpzX6+OtI=
Authentication-Results: spf=pass (sender IP is 166.84.7.159)
smtp.mailfrom=eyrie.org; dkim=none (message not signed)
header.d=none;dmarc=bestguesspass action=none header.from=eyrie.org;
Received-SPF: Pass (protection.outlook.com: domain of eyrie.org designates
166.84.7.159 as permitted sender) receiver=protection.outlook.com;
client-ip=166.84.7.159; helo=haven.eyrie.org; pr=C
In-Reply-To: <202304261528.33QFSGrc012160@hedwig.cmf.nrl.navy.mil> (Ken
Hornstein via Kerberos's message of "Wed, 26 Apr 2023 11:28:16 -0400")
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DM6NAM11FT031:EE_|SN6PR0102MB3471:EE_
X-MS-Office365-Filtering-Correlation-Id: 6c028904-04d2-42e2-072c-08db468818af
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: g3I7kaacDkqGBwuw7lataqBWV7agHHI5/5E01Q+S0zFNb2oiP5o+GO6gWKgrVRC4j9sEzLKbjM0v3jhEkk+AByzKvjFqMQt3dFxeyHQRLac7nokA1kQG1KuAeJexltoDu8/MTSQCIHanVag0i6TfTeZVojNSnIcouFdkMerienGY8gt+FTN6Uz8o9J4MNAHQbNjJr9CY+ChyZM5zZ0w9AdQzRnQqL8CRNXkyIlX3vY5jzTLJr+GJuAl6r6MZnh9K+0eRLAsHcCGloP7diT4zWDyMwQCMFyGpP/ULXNOoyuIYhGpOeieZF+s4eM8yt2hSeTZWmE0zs1/NUzm/xmrOncels5mjCFtVbuDSDsigu3SeRfr7BEJ6sE2oPFJ0/Gm5jfYmfFwJiIF5/MMRt+05tusBG3pS8aRdNgLJ0zQBWoNKvv1zBEd6M8KKwFUVLeg6Td+ZnOKevAw8fZ+xTvR1v5l87TsJ5WZCVRpcCA2R7aeIygAi/tFuuijAUslK3rfXdhxLWFbb2gp/GAMliN39RISFpS6l2rlBC5WD0oeH5zMQ55pPNFcXUQnLi0DkAbtMsvpl68alp5cSoFUKaJQzkmXSZDFXnusg82oq1WT6/Lo=
X-Forefront-Antispam-Report: CIP:166.84.7.159; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:haven.eyrie.org; PTR:haven.eyrie.org; CAT:NONE;
SFS:(13230028)(4636009)(376002)(136003)(396003)(39860400002)(346002)(451199021)(36916002)(498600001)(3480700007)(966005)(7636003)(107886003)(356005)(26005)(6266002)(7596003)(42186006)(54906003)(83380400001)(426003)(336012)(5660300002)(8676002)(70586007)(7116003)(2906002)(316002)(4326008)(6862004)(786003)(68406010)(86362001);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Apr 2023 18:57:34.5427 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 6c028904-04d2-42e2-072c-08db468818af
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT031.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR0102MB3471
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <871qk61nfo.fsf@hope.eyrie.org>
X-Mailman-Original-References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
<CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
<CAJhaRZJP+Cz0RkSyOaWmjH5UHjye43k7B9G=dRechpN3Ad4qXg@mail.gmail.com>
<CAOLfK3VOZSNFhpkSKy5XsaA2mFUDVCGdjjZdna_O8M2RaAZPyw@mail.gmail.com>
<202304260001.33Q01xYH024064@hedwig.cmf.nrl.navy.mil>
<7586f99f-1c5e-f8c9-e128-eb457508556b@mit.edu>
<202304261528.33QFSGrc012160@hedwig.cmf.nrl.navy.mil>
 by: Russ Allbery - Wed, 26 Apr 2023 18:57 UTC

Ken Hornstein via Kerberos <kerberos@mit.edu> writes:

> Well, dang, that's one for the toolbox! I was able to confirm that
> works just fine (but note I already had an existing PKINIT
> infrastructure to leverage). I will note that the existing
> documentation implies you could authenticate to WELLKNOWN/ANONYMOUS
> using your password, but maybe that isn't true? I'm specifically
> referring to the documentation for the '-n' option for kinit, the
> "second form" of anonymous tickets. There is a note that this isn't
> supported, but it mentions MIT Kerberos 1.8 so one could believe that
> note is out of date.

> This is kind of the giant mystery surrounding FAST. If you're not
> familiar with the gory details of the FAST protocol you're kind of left
> stumbling around to figure out what exactly you need to do. I realize
> this is probably because it's hard to write documentation for beginners
> (certainly I am guilty of this also); I'm only making this as a general
> observation.

I worked through a bunch of this for pam-krb5 back in the day and made it
support a set of reasonable things, including anonymous PKINIT to
establish the FAST armor. People who are working in this area may find
its source code useful to look at, although I think there have been
improvements since then and what it does may no longer be best practice.

https://github.com/rra/pam-krb5/blob/main/module/fast.c

--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor