Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

Polymer physicists are into chains.

devel / comp.protocols.kerberos / Re: help with OTP

SubjectAuthor
o Re: help with OTPCharles Hedrick

1
Re: help with OTP

<mailman.77.1682973007.1964.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=360&group=comp.protocols.kerberos#360

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: hedrick@rutgers.edu (Charles Hedrick)
Newsgroups: comp.protocols.kerberos
Subject: Re: help with OTP
Date: Mon, 1 May 2023 20:29:31 +0000
Organization: TNet Consulting
Lines: 56
Message-ID: <mailman.77.1682973007.1964.kerberos@mit.edu>
References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
<CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
<CAJhaRZJP+Cz0RkSyOaWmjH5UHjye43k7B9G=dRechpN3Ad4qXg@mail.gmail.com>
<CAOLfK3VOZSNFhpkSKy5XsaA2mFUDVCGdjjZdna_O8M2RaAZPyw@mail.gmail.com>
<202304260001.33Q01xYH024064@hedwig.cmf.nrl.navy.mil>
<7586f99f-1c5e-f8c9-e128-eb457508556b@mit.edu>
<202304261528.33QFSGrc012160@hedwig.cmf.nrl.navy.mil>
<871qk61nfo.fsf@hope.eyrie.org>
<PH0PR14MB549307B0C36B735AE3375F33AA6E9@PH0PR14MB5493.namprd14.prod.outlook.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="29945"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>
To: Russ Allbery <eagle@eyrie.org>, Ken Hornstein via Kerberos
<kerberos@mit.edu>
Authentication-Results: mit.edu; dmarc=pass (p=quarantine dis=none)
header.from=rutgers.edu
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.9.3.18
ARC-Seal: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1682973004; cv=pass;
b=i7pX8wruUzFWGQkxs8issFGjEsQKS5JMCt/d6g6MNab/bFkgIxAPc3P5SCgL6SamC4V6lOvdjbjAjfqHZty9fd5ZNdKbtVAQxP3AvgOPNjTylCA33Rc2W/j6fC1sss4my3zf4VnA/Ea+8OechbaAgMacGcr38nKfNmJV6J1BP6OhvZmysjpGWWxWeN8JtSbg5Zd92uXUlLfdNFMaldZiFSlup+yb730RfT1L+X0sAC+N05F6ATu3AcThngraJe+i/15ZJvkXyYhJqvVJZ8lHjag53hk008AS9SVUXoCSjqPzTgjC9f5bwS3HAKeevv9XE4dC/EhJWyglt1s/Xjyw+Q==
ARC-Message-Signature: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1682973004;
c=relaxed/relaxed; bh=VnXQaXYmgCgVHTKlEbWWoXNKBMFhVSHbz6mpYNBTf3U=;
h=DKIM-Signature:DKIM-Signature:From:To:Subject:Date:Message-ID:
MIME-Version;
b=lxk5aap28XIg/9cZRPvCXTswPnlSrKrPDE0MOvp3m99X+PnWRaqwDbLiYruoz6d9oxmvI3eNvQ8Ed4YfioRwxorWz2KulUvvGzXauNkApXpDfrDX7i6nK/LM5/fj0b+I0FNZz7YrpA/pXWLpRibbCOehsFEzXkql7D8n+Hg3yUjnGPRZAbEapC3iyog+RsfzJSxgg7cEOj2QkWmV8ZRgiOX7k3BQ0vcaMuo4GU7iqM09KQd+WuIcIeOd0+zPPu30iwNuRlykSsjmxALYd+Q8uv+0H8vEbYAai80I0kfsBONQ/kxV07TZb9Bd9esFFqOkruSQ17i2lIpgVIOaycECXA==
ARC-Authentication-Results: i=4; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=nlgTph7p;
dkim=pass (1024-bit key) header.d=rutgers.edu header.i=@rutgers.edu
header.b=Z0hHBYYF
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=nlgTph7p;
dkim=pass (1024-bit key) header.d=rutgers.edu header.i=@rutgers.edu
header.b=Z0hHBYYF
ARC-Seal: i=3; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=INDLXUlMzTp9RkppHsiDDH2e1CUBh+Doh1ggEw1obGE+C2FJR9uiN8CXT6rPPgk3lLCMKm8qttdW4OCXG0t1asqMYTIZO4LhkB7J/nYfaiTJTLvPjN2AB52UrFVPn8Rr8mY4qwQmw0d0scqado0T3CUCcWFwMreR395DtOwvW2+1BV6w3q8TFm4d7je8th6lqH8P6bJN8cjouvSHoCxuo4LlUvbEUsn07BZX5KOJropwybCeXwXtL0DCNLUyBeraVQtnRK/3TCI0bbwsuPOVRSUOf2Wig563AjzswM3wMvZIavkbtFW+EqirXuBh65eGJwrKJDZ31mlsaP8rOExxsw==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=VnXQaXYmgCgVHTKlEbWWoXNKBMFhVSHbz6mpYNBTf3U=;
b=nIGK6hh3hSPQsuhkmhix5un3IBikWw+w9IdU8+LQesLRUB7OZyj8pwLAAjFbQYcqkQO7AmDG971vCcUm1XowSUJVMr114x76OfoVSZSXQ9lHB5uRSKrrrgy9gPTwWW/LTPWfhg1dHwKSmd1XWpimkTJlOW7vUS4I9st30nQUJk1itqyQtHLyCWoJAoelVYpS1TQRS439+7IjOQN+AU1+/1tFe+HrmsPxHy+Knr4XFWGNp6ublK5zmeoT/g6IxQcs/pMciXVW0p6BF2ptuYiMRAiOxbLIbTE/gL1CYdQSNF5lmmxm8BTj8PC9b/JxsLvCaj+/Aww+UGvTArPPgBfkyA==
ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=none (sender ip is
40.107.95.136) smtp.rcpttodomain=mit.edu smtp.mailfrom=rutgers.edu;
dmarc=pass (p=quarantine sp=quarantine pct=100) action=none
header.from=rutgers.edu; dkim=pass (signature was verified)
header.d=rutgers.edu; arc=pass (0 oda=1 ltdi=1
spf=[1,1,smtp.mailfrom=rutgers.edu] dkim=[1,1,header.d=rutgers.edu]
dmarc=[1,1,header.from=rutgers.edu])
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=VnXQaXYmgCgVHTKlEbWWoXNKBMFhVSHbz6mpYNBTf3U=;
b=nlgTph7pxwienlhJV+XkY19i0gYfpSuAb0VXjV6TLlEuoMNNNBkNNXfrB2i58LCKRZi4a/cRqfw7Bxh6mH08GbyXE2MycWmMmEJuHcwpSLWVjjCTC4MjchhjWOUQos+qs5mRdXg6kTYIlLXQuy5Dt2TbE2bmtcsweiwi+4vCAFY=
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=CjgL+S/PIwFn0tuX6N2x0HBceHHrahK3/JMHxnIMj+nGn1NhBRzYBjOENDyVoQAeokt1ineQGUGnwiyiXRgeVYAna5LE6MuqyRWhK4s045wh/qpnMh31S39a+SUxFJZJXhrVL5g8wNKH6ARlUKT1mR9C/o1Y6UgOHhXCADT9Ai0pOuhVq0sXxj7WfzzE3hpEt2Ghzvf/Ns7cooEeT8B5f93o4UKiD/BH+srb+ek7c01iu+DjcIfGeS3lXN0bfm4fwXXh8STJritveJrzg4WTYlb9sQzlz2bjqe/+/HfiIf/pZsO6XCJDONeOcyfH1Bi8Z7ryyK/ionJ0GLkkVbpOLA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=VnXQaXYmgCgVHTKlEbWWoXNKBMFhVSHbz6mpYNBTf3U=;
b=OJMIK16t8AafbomD9jRh5hk9VcXEtNPapurqZGzRJuIdfW6Bi4ugR5oNKXAtw4xU0yKCrhaQaCRkK9oAgT8JFFbcxSw30oOyJcT3Teiaoi5oyYcVEQWDFTMGN3oO2dovnSdXAuitizf0cOzfhoNwRDHhLMla4Gy7yOMlhKgBpBuNcN2praHfKYt1XvUh8tkfpa7xZSGKDeaerKBvd8Yydki3jQKha1nBtKPuf7TwVWczonbIaPWcbXEoVesH/pKeZ3aJjXI0/20tVNS+EvU/kFD/46eyEy427Y2hJl5VqusNixYvwtQcYoXOyfRZdEcVHAscHyfCYV/pHpoFHA2xgA==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=none (sender ip is
40.107.95.136) smtp.rcpttodomain=mit.edu smtp.mailfrom=rutgers.edu;
dmarc=pass (p=quarantine sp=quarantine pct=100) action=none
header.from=rutgers.edu; dkim=pass (signature was verified)
header.d=rutgers.edu; arc=pass (0 oda=1 ltdi=1
spf=[1,1,smtp.mailfrom=rutgers.edu] dkim=[1,1,header.d=rutgers.edu]
dmarc=[1,1,header.from=rutgers.edu])
Authentication-Results: spf=none (sender IP is 40.107.95.136)
smtp.mailfrom=rutgers.edu; dkim=pass (signature was verified)
header.d=rutgers.edu;dmarc=pass action=none header.from=rutgers.edu;
Received-SPF: None (protection.outlook.com: rutgers.edu does not designate
permitted sender hosts)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=evTlgS+RmEQxcEvQBtslREFs8jJj2eSeJQoOFdvQNNITBHgnZLI0GFx5arvHhE2Ucw7189fpfshtoWYXGxRQWi/TWIt4YUSFo0vTKH4iWAyLYuWI3ntCFgxG5SsDe3pede3zPIwMzvEQaPFh2jP7DS9mbWU2mVdsIGNw1W7kE7stVd3mj6c0efwL/BZz50PDfrVufem1k8flKIrPh2fo4vFNCxXS2BNUGvGRsR/J+RXWv7Pm+3W0PWSqli4yH5y096tBbv0LuA54PdpqbyhAqzexXxIW3ap489q+yZmOKrBmrNdoyzjYFTFIgoL13D6y9VswGpvSKYlBz8BDa1zwFA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=VnXQaXYmgCgVHTKlEbWWoXNKBMFhVSHbz6mpYNBTf3U=;
b=kyE5c22zMBoVwsQszjRV3s1gUgaKSNjlTE84Es3wra1d/8HPk5p83HJ/8anDqvj2l2F9hhGAsI/Uuiid0B1Ooe4Y4kP8fZhPAxvO1McyWLkeiRKDbdT2sTt5owCU1L+zyzdrDG6wZiHp9fgXtdd0m+TxKk144RCuPOefj6oFwfHNyJ5CXochBsgdBs7M54R0HKgWn4KNlkGqOz0pauFd3KoA4hUVvhLEs2Q0YRKrs2sF1mEdGcwAsEOX5aFC8so8UyJdX3sIbNBJ1HBwX6WJlzc/J3oWj9G/LY3GeKy63E7PRXgFSrtbdA6vFCmIEMvwV7xzhuML2SF5GFu2EP/gEA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=rutgers.edu; dmarc=pass action=none header.from=rutgers.edu;
dkim=pass header.d=rutgers.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rutgers.edu;
s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=VnXQaXYmgCgVHTKlEbWWoXNKBMFhVSHbz6mpYNBTf3U=;
b=Z0hHBYYFARC2IKoAAmjBRTPI2QNuxGJ9o1TrszXC+paFHfNhG9Sp8boEEfNPnxe3kYQSOBHJTl9p+U4fdKypDPgDgUFNGsfrmxRfmK4nkOSFBmtqektS5x15yUBHjYYqcIKJR0H6yW14dcLleeFdQiDIlKZV9ix4lpWkshLaaM0=
Thread-Topic: help with OTP
Thread-Index: AQHZdvcMLIKKa031R0+RuAHvwyw68a87CV+AgAExWICAACAPAIAAHOYAgAAg6H+AAB4hAIAAWwiAgACnxgCAADwyJoAH736/
In-Reply-To: <871qk61nfo.fsf@hope.eyrie.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
Authentication-Results-Original: dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=rutgers.edu;
x-ms-traffictypediagnostic: PH0PR14MB5493:EE_|PH0PR14MB5384:EE_|CO1NAM11FT083:EE_|BY5PR01MB5793:EE_
X-MS-Office365-Filtering-Correlation-Id: e122be25-6cd2-4eb3-7907-08db4a82c5f6
x-ms-exchange-senderadcheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: R4mL3/MACVDypd+ow0N7GxIna2gymE29Ka1DvOm7TlZ1nXkkNhvkGb8iRVgTx/ZpElnCZ0h5Z0/UD7uXx6biwTu3Lg+sTIuwLCFcJbB1wnSoHLBYDycQxdfL3YjC5lpB7Jh6EE5G3ibmD1GXUXzghIVDXKf1T1THaRG09Os+OLz9eQ/+rV+oWagqGEhMuoZ5Z8y9CHMeN6t0yjFBgYjkvyeIVnZD/Jow2r8QZPDEqLjrX8kSHQMYW1DS63DSFCYLbS4/UeDx25h1lPi83GEs84/3s1q3gBm0Xywq5dE8rnusVlCL9uDlfS+35GnRQ2XQ8XTIw9s75h8erP2+TlxN230asG1Uao+lE7eoOk0UiAIm8GW2uYZg6ipLSHZKJC1b01qmTvWz4MJxXogTE7w3+qpQdugM0ZroxnbqfCSxXZ4GQN+uIwQyETKvWUtkZdXdNzxzLM0Fhou72Ok/P7oOQ8ODOcbJGwsf5ijwaQTtg4kDmQBzRKbyxq9cXeoMD7URBSbIw7CGeYpC/UKeQhCWmzsJi9VqKWwHNjX3j+mWaRzgrRsBhEtgm8CPsNPmG8EQuYxrU8h50RBx7ZTwFEBqRE7pYNP5NhUSmwqiyPgvBlo=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en;
SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR14MB5493.namprd14.prod.outlook.com;
PTR:; CAT:NONE;
SFS:(13230028)(4636009)(376002)(346002)(366004)(136003)(396003)(39860400002)(451199021)(86362001)(33656002)(166002)(38100700002)(122000001)(38070700005)(19627405001)(8676002)(52536014)(5660300002)(7116003)(66946007)(66476007)(8936002)(41300700001)(4326008)(91956017)(76116006)(786003)(64756008)(316002)(66446008)(66556008)(55016003)(2906002)(41320700001)(3480700007)(71200400001)(966005)(110136005)(7696005)(75432002)(478600001)(6506007)(186003)(9686003)(53546011)(83380400001);
DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-Original-0: SJotYsPHKxtYVzryGg2lR+iX0dIiv0jgTINnb3aHsY8zNN8XItdv2baCpm
5FMmLVxAFdM0+TTJcGseV5lQHxiDxCFzL486S24wPzFfIr4wUgTb1RdYXA
1Exth8nVHlevE/wHblfuOml5i/9g88ShYCVQ4Get4MDIUWd9M6F9azn3z8
UjnL4irV3at355yILWQ6m1a5Xne7TXgZHJLZu2weZFbLGpntmMqBvJQJW3
erBTuMkvOcX8G+Y+49NCVSqdllPtM9i3yvJXZKrQhLtrzySUlUqKnefBHv
eWKshrT3SoMn6fpJZnM+Wn/XKxLR2d9vlOQK1a2mD9XiJND3ehjdzX591D
774b+nrPrWFOCtwi+0W+pR8fqKWaimbBDWmDwDWMW12urBo1i/LZdEdaOF
AyjmQy2EQhyDnk965PI52DVWavbsDr3lSe9goDnJ1Z4MK+SUvRxxY6BC9Y
uTFSHg2UDW9hVlnCStZDgo+yo2CcUsUKLgY4zX4+fDskybkWcvl+jnevEz
raJRrx/9AGc30kdytggjB0gY+bjkQVHqlsrEjWBS9J5wJ1WslLUHMewOCg
eCOs26aJR2u40Wg+1hDUsHqPXoRMi7hoqkpAhabgwrXEOym16DNdvM8D47
MHkOXcNyrImP0/L+S6NsRX6HWRNvN4io/O7QnW2QPkzPQb8fCH6MVhw3if
PnR6NQvRWu3Y9lQDHFrjeo0HzFqGnbAQpaydw1HnLEFYA5sv+V9wDVdwTa
w7QIIveWtsAvAXUN+3N3BQktdWMJnrEQs/dnQMU9J4fpwMsO6DmrWVMHJI
5FEvUnrFPwAnjGtAWOj8e24QAe3fYQCWBB46OrnACP77XeSpnKeRCki9xk
OVQx8KD1gJQxepVTfX8VLi3D1vyqnRgz9VIErUfNoq/0SIQBj9HIP9J7yj
WIc/UM9Q5W5MZTBLSBoml5e1dQZntspLdj4pOlJVZsDTTpfD34jx6OJpB+
sc6Erb9GhfWfxIwXlAiEWU0J1IADRJdake1YmqhKyPTg078e9yxlB++L7j
64mAQlXgwg/AwngzUgivjGqynKNoLuIE2nlTWA9Y7lnOjvULbpZ5ty56z+
Ly8RAb998cw76It5OZFFGkFFXhr3EaMgIGzpn3TM51VcmPcX6J/geUxKZq
XEz0gti0X5DAjpgptxh8/ZNDTTbS4a97vjIEvw/L2IeM+Bs1hrDyy7j5ob
qbTF6zCtoj8ajXVqcQxSmp3LBI6999rXOyqpUW3tP0V5UJ5Z2FdSUi6ED4
OWaMM6dmND/POybUxwZTAN3dAROTe04H9rWLkGxibVnvkiHqplnLjREiem
0qDEjSnBoVN3pEXdbV19nG4MtzUGsMFWStefu/DXLvSV96wz2lqgFU6DH/
CfdeQ7rU6CXEy6u63/glBu6eYAN/Q5CYEcCsuRdttWc8VdSjIfUH1ofGJW
HalvxojF1Em5I88Hoo4jRu7k2cnZPCYXcIFjHq237clFD+nLoIPsxS1tq0
IbK9JonFvIGkPL+oKcECNFKBCdmRFINh3eCRme7Bg+JAykNVjqfm3BEcn9
NjOPOzn2RXi2MB+ITO8GJLTlPcPVY2BMIogB8ncqUp5l5l1N4EHiEpOQ
==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR14MB5384
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: CO1NAM11FT083.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted: CO1NAM11FT083.eop-nam11.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: ce145f4d-59fd-4a9b-26f0-08db4a82c4f4
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: hilo8kmbgTxpOQFD9Ho0z1N8luy2HGxh2WExYVoYLxOWHCPpglZ3/OIen5te70w5EkVZqfV7E2rtedMiDS1kgnCqXUT7ODRlxfXRnyga9oORSm4olsiomU5llIi8Cpm9GTFcQioHzs3Uw2++5v4nm3fibSHOHExT030AZ/9xvdBBky9DtoaS0nzIK5Y8xbbGf0TvANmM7vtblWBuNsStJ7rsP3xetNgzr9/1tizh4WL2PSe/f/V/S/J2YPtaaNQngvBPxjHUApQNP9oqVCYLW/Ky37DtwEiZG+EC+c6sIJHf0iWD5opEIP82l0QXbWWwNNwfmFUra6hsLOO3lwOc7upDFhi6daOVmlSPHBjsOt5Fgjc2cNHgSlvbpoTvJiX8nFAFmJuW/9QkfPFCqxrFAb3qcrh0sMDooKDidSJt2SJrVVzoD4D+9qcwwPxYH0e/OXGajbGw4t7HjMgM0qnXwicZ18G1DD2mlO22F5RAJLdMViYX/qiHOmJ5IElcw+W/2BoKxcub5m44OXgJ49pU5985IfjmUVrxWomntYrSiSEwfbngug6o7zBpKxks4sZG2vuuG/pVURZPAvQjwaxHSWyAUCuDp2Aj0tXhHsP30hs=
X-Forefront-Antispam-Report: CIP:40.107.95.136; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:NAM02-DM3-obe.outbound.protection.outlook.com;
PTR:mail-dm3nam02on2136.outbound.protection.outlook.com; CAT:NONE;
SFS:(13230028)(4636009)(376002)(39860400002)(346002)(396003)(136003)(451199021)(83290400002)(83280400002)(4326008)(83320400002)(83310400002)(33656002)(83300400002)(336012)(7116003)(3480700007)(52536014)(83380400001)(19627405001)(2906002)(5660300002)(8676002)(107886003)(316002)(786003)(9686003)(26005)(68406010)(53546011)(70586007)(6506007)(356005)(498600001)(7636003)(75432002)(110136005)(86362001)(966005)(7696005)(166002)(55016003);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 May 2023 20:29:32.8806 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: e122be25-6cd2-4eb3-7907-08db4a82c5f6
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT083.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR01MB5793
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <PH0PR14MB549307B0C36B735AE3375F33AA6E9@PH0PR14MB5493.namprd14.prod.outlook.com>
X-Mailman-Original-References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
<CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
<CAJhaRZJP+Cz0RkSyOaWmjH5UHjye43k7B9G=dRechpN3Ad4qXg@mail.gmail.com>
<CAOLfK3VOZSNFhpkSKy5XsaA2mFUDVCGdjjZdna_O8M2RaAZPyw@mail.gmail.com>
<202304260001.33Q01xYH024064@hedwig.cmf.nrl.navy.mil>
<7586f99f-1c5e-f8c9-e128-eb457508556b@mit.edu>
<202304261528.33QFSGrc012160@hedwig.cmf.nrl.navy.mil>
<871qk61nfo.fsf@hope.eyrie.org>
 by: Charles Hedrick - Mon, 1 May 2023 20:29 UTC

Anonymous PKINIT works fine but requires certs to be distributed. Unless you're prepared to update every machine in the world every year, you pretty much have to use a cert that goes back to a commercial CA. But in that case you probably have to use the obscurely documented

pkinit_eku_checking = kpServerAuth
pkinit_kdc_hostname = kdc1.x.y
pkinit_kdc_hostname = kdc2.x.y

I can understand that a newcomer would find OTP pretty much impossible to set up in practice.

Furthermore, your applications have to be written for it. They can't use the normal krb5 API calls for getting a credential from a password. I actually wrote a LD_PRELOAD wrapper to make a normal application work.

________________________________
From: Kerberos <kerberos-bounces@mit.edu> on behalf of Russ Allbery <eagle@eyrie.org>
Sent: Wednesday, April 26, 2023 2:57 PM
To: Ken Hornstein via Kerberos <kerberos@mit.edu>
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Subject: Re: help with OTP

Ken Hornstein via Kerberos <kerberos@mit.edu> writes:

> Well, dang, that's one for the toolbox! I was able to confirm that
> works just fine (but note I already had an existing PKINIT
> infrastructure to leverage). I will note that the existing
> documentation implies you could authenticate to WELLKNOWN/ANONYMOUS
> using your password, but maybe that isn't true? I'm specifically
> referring to the documentation for the '-n' option for kinit, the
> "second form" of anonymous tickets. There is a note that this isn't
> supported, but it mentions MIT Kerberos 1.8 so one could believe that
> note is out of date.

> This is kind of the giant mystery surrounding FAST. If you're not
> familiar with the gory details of the FAST protocol you're kind of left
> stumbling around to figure out what exactly you need to do. I realize
> this is probably because it's hard to write documentation for beginners
> (certainly I am guilty of this also); I'm only making this as a general
> observation.

I worked through a bunch of this for pam-krb5 back in the day and made it
support a set of reasonable things, including anonymous PKINIT to
establish the FAST armor. People who are working in this area may find
its source code useful to look at, although I think there have been
improvements since then and what it does may no longer be best practice.

https://github.com/rra/pam-krb5/blob/main/module/fast.c

--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor