Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

Like punning, programming is a play on words.

devel / comp.protocols.kerberos / Re: help with OTP

SubjectAuthor
o Re: help with OTPKen Hornstein

1
Re: help with OTP

<mailman.79.1682987855.1964.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=362&group=comp.protocols.kerberos#362

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: kenh@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: help with OTP
Date: Mon, 01 May 2023 20:37:23 -0400
Organization: TNet Consulting
Lines: 23
Message-ID: <mailman.79.1682987855.1964.kerberos@mit.edu>
References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
<CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
<CAJhaRZJP+Cz0RkSyOaWmjH5UHjye43k7B9G=dRechpN3Ad4qXg@mail.gmail.com>
<CAOLfK3VOZSNFhpkSKy5XsaA2mFUDVCGdjjZdna_O8M2RaAZPyw@mail.gmail.com>
<202304260001.33Q01xYH024064@hedwig.cmf.nrl.navy.mil>
<7586f99f-1c5e-f8c9-e128-eb457508556b@mit.edu>
<202304261528.33QFSGrc012160@hedwig.cmf.nrl.navy.mil>
<871qk61nfo.fsf@hope.eyrie.org>
<PH0PR14MB549307B0C36B735AE3375F33AA6E9@PH0PR14MB5493.namprd14.prod.outlook.com>
<202305020037.3420bPbb014207@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="1921"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: <kerberos@mit.edu>
Authentication-Results: mit.edu; dmarc=pass (p=reject dis=none)
header.from=cmf.nrl.navy.mil
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.9.3.17
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1682987853; cv=pass;
b=UKfyB1FjscC+RouP1xyvG+RL8wNJpcN1dMKoiqW2/jCchLUovvciWgEbozn5g6riD3i0HLNWVvX5laBo1lK+GRLvVKtZobwKTwPvIbsribInPWyYwbAKUVXlOo9fJVENbRPqhe2S2V89ATVuL9vLo7xR3LC64Hat4TMeMljLasW5Wj3X+V6mK86o1pQ+T706QIRun8YF5lQdgWrzdGXzQxLWKAqnrBnB67jl/Clbs3KolcLecGU0UEax4Ukh/093IqK/s1GBkLKCLWkQJ73wa2hkfeHO4O/xslcGM8eHWGrQH2V7GkfI8Hj2yI1V7pjUsagHVs9SmivNMJlIAPRI1Q==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1682987853;
c=relaxed/relaxed; bh=3mzn9IjM6yjgHSGORIMWWNmA5ltPos3VRaw3zwsyM8o=;
h=DKIM-Signature:DKIM-Signature:Message-ID:From:To:Subject:
MIME-Version:Date;
b=IOaYjIpyrbvINSTndCz1bZ7AmwJEVSHKCfiIh2hLKhM1CKQIdrnlsL/9uypqQkE19s1mxMrK1MEAp7M890XOFrrx2VzpT+zSD0Jei51a2jM9zwbUorCfTz65fIi7ZDbt/Y0q5Eq5OnFRqTOI+4Z389GoLGSsHM4aDes0hQnl7A3gQUCCCSJ5W6xp3lVYgjXEjbqNmgSDFrfdeKo70Zbz9EAPvYjrZLoEwGps1S+ACr5dGRE+YyEy8o5NU2KWUgENfS03ymGsL58LvIRJ3uy85AyT41E+ddSBh0ZuYpETciC8Ui2dTqUECycGMNeyxOeGYLRtVHaU9fGt2xEvilsFxA==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=K58cmVyv;
dkim=pass (2048-bit key) header.d=nrl.navy.mil header.i=@nrl.navy.mil
header.b=oG1tmQDQ
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=K58cmVyv;
dkim=pass (2048-bit key) header.d=nrl.navy.mil header.i=@nrl.navy.mil
header.b=oG1tmQDQ
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=oaL07SVGZtFjNWy4LXG2YWc3x4TgA11z5nlwdLwpxeqewdkQX8mV1fcqlP+Lvv7fqHsfB/rNsyq8otkEqNZD4bnHgJdl2p30xf4uDNb5QNOzvE+CwpQCGyyMSNncVQRYOi+COaLngeopfYakyG+ydx59MxHh8uid2nV3syNePg2/fs1Z1G3A+Gv9wERVwf29ApsgeiBRD2IyR8enmZAn2Zfsuhedruv39i61mRvpYSoEnQzZXvR1wZhYPRoj8vm8l/2ZsFsedMSAxmS+5H8/z7SV1t+eF7n1PE1tjFC2Uvpf8RjaAJs6YPNkbt0/JvO8DteJRZ4tBwNmPnyspxjVKw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=3mzn9IjM6yjgHSGORIMWWNmA5ltPos3VRaw3zwsyM8o=;
b=GxO9cIOfq3CcXa5qlB3hr53bLmfhZqS/q2OqGGFAg2Fgn/6g5x61/P8fWo7UA2US7c3KE6AbApVmDpD4l31iWHlYMAzG15jAkH900Kyd4FX3KFKZw9wWUBoy0e0MMKDIMR/GO3qmF538+WQxMagPSeKaaqRN3LGY3wgjOzTp9/eIxp4QVWirvZsqNUAB3sD+VmT/THlOXtvj59+7t/sQoYLBE8K2rWSnoUdJFlQlqB6WdI9atfJ0z9hxZjhXK49UpSs5ASH0SBgKTGUx/q/mbzzq1IncAvUZ4ub2htAMCscigRvjPI44lL2IAGiFTYPGqvP9idiWtVelExUyt3PM3A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=temperror (sender ip
is 140.32.61.234) smtp.rcpttodomain=mit.edu
smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=3mzn9IjM6yjgHSGORIMWWNmA5ltPos3VRaw3zwsyM8o=;
b=K58cmVyvOgvA4ttfvjRmn1Pi48+aOHMAqAXCSB/CrI45sDwi9xICLbtMA2tALWjIGtQrwtgremcJQInMB2p4v2+G2ouKm0arebgpcAf5GLSfL+NSjnbAtWgqstX0eHzz6MmRGWRLp4paJA8sF2SafO5RD6jZnG+DchHrZAgWqD8=
Authentication-Results: spf=temperror (sender IP is 140.32.61.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: TempError (protection.outlook.com: error in processing during
lookup of cmf.nrl.navy.mil: DNS Timeout)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : subject : in-reply-to : references : mime-version : content-type :
date; s=s2.dkim; bh=3mzn9IjM6yjgHSGORIMWWNmA5ltPos3VRaw3zwsyM8o=;
b=oG1tmQDQu14J19q60QtLlnP0DW1v6+T8A7nc4JOxxeeiqFTg66PabllA5ChtRKj1CvsY
iQGmZU/PejimcJwJ1919JviEnbJ+sjiGrHwA2e1cABWiimaD7KTNtS/gY2hNG5XeG9jr
TmYPZ0Au+MlTu/gKln4/9bC38yIyzWH4EvfPtg/SH6MoJtYqxYOfi6Lqsnn4E8Qsg5gI
L5f+K2Mro/AxEAvwD1WkqPtCeHrACJzKnZc+6E0f2kChoLfBv4Nk4UBzGaU/tTGbTeCH
zTVqqrG5wKxVx4GzCvjB9IpHDm+KP3HgOfRgePBp748XIYsUChUZ9nQ8NPIiTIfZnTm4 4g==
In-Reply-To: <PH0PR14MB549307B0C36B735AE3375F33AA6E9@PH0PR14MB5493.namprd14.prod.outlook.com>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned:
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BN8NAM11FT071:EE_|BL3PR01MB6834:EE_
X-MS-Office365-Filtering-Correlation-Id: 39a26a69-083f-4dc3-1eb6-08db4aa567e6
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: aAEfpugSFg8Sswbko+FrQBUHfS3FhJJDgeg1XDKLv3vYwuSjUblO1dBJiNij464stm6q2ulf0KHs/85LPm3ha7HGwsy5rXOIJFPoF2xtOgy/6hQAF/69XZ0iVV3f65WDB3nn8PB0cV3V3ZiljbFLUkwJwjK1lGwdgDRDac1gXuj5SO2D7sV5FZ8hvhI59bOa7/JjwY9huZXyd9MCvvky1KATn5JarHFmLfNlD/JnKTi3PWHapp/ExKdmDACDYZhm5dNDcKZKhzrq97NNy7WwzTXmIR5a6G4JiNOJHhMpmP8YWLGCYWyIrh1ofm57GZasHPktmN+2YFN+UeDxLiR6hkIFZrBOPgXGYBJgyoS6uUO765vh7C+LGUpIyfDxROevhS7H69+wYuawFZpSY03RGc7gu2TrXilJxj7LApy5k/d8jaJN6EiuB+FbtJ1gwpl7EhE1hxNhfrbpzidwkqR/z7LNuTRerPBwBgzKb9eqt/Vb7uyscXaYOPvaHaFuCXbe/dJ7+7YpFnOcHoU/uKMhTsO5hRqU8R0LvoineoVsKbskbatBcWsOEHqfYOJWUej0FMd5yKTms8xESa8KJgMpW4h8vEhXx9Y2dbaOb5zhd9Y=
X-Forefront-Antispam-Report: CIP:140.32.61.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfw.dren.mil; CAT:NONE;
SFS:(13230028)(4636009)(39860400002)(136003)(346002)(396003)(376002)(451199021)(63350400001)(426003)(336012)(83380400001)(3480700007)(356005)(956004)(498600001)(1076003)(26005)(2906002)(7116003)(5660300002)(68406010)(70586007)(7636003)(8676002)(786003)(6862004)(86362001)(316002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 May 2023 00:37:27.3907 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 39a26a69-083f-4dc3-1eb6-08db4aa567e6
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT071.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL3PR01MB6834
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202305020037.3420bPbb014207@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <CAOLfK3WVppnk3eouiLTxhiR5gXQcCVd7K5xr_erP=y_RkeVpPw@mail.gmail.com>
<202304242225.33OMPJdw026540@hedwig.cmf.nrl.navy.mil>
<CAOLfK3XZF95-XoaW8y8cMrMETpWQNV-=EEkMyreo18WXH5M3sg@mail.gmail.com>
<CAJhaRZ+wc0N_YX06jdsh8iHTSn1dJoH3bn6q6Mm0V35h-8FARg@mail.gmail.com>
<CAOLfK3Xs9X25-jY+GjXqmNEOYbSNSVMXdBojX=k28FWqenWG+A@mail.gmail.com>
<CAJhaRZJP+Cz0RkSyOaWmjH5UHjye43k7B9G=dRechpN3Ad4qXg@mail.gmail.com>
<CAOLfK3VOZSNFhpkSKy5XsaA2mFUDVCGdjjZdna_O8M2RaAZPyw@mail.gmail.com>
<202304260001.33Q01xYH024064@hedwig.cmf.nrl.navy.mil>
<7586f99f-1c5e-f8c9-e128-eb457508556b@mit.edu>
<202304261528.33QFSGrc012160@hedwig.cmf.nrl.navy.mil>
<871qk61nfo.fsf@hope.eyrie.org>
<PH0PR14MB549307B0C36B735AE3375F33AA6E9@PH0PR14MB5493.namprd14.prod.outlook.com>
 by: Ken Hornstein - Tue, 2 May 2023 00:37 UTC

>Anonymous PKINIT works fine but requires certs to be distributed. Unless
>you're prepared to update every machine in the world every year, you
>pretty much have to use a cert that goes back to a commercial CA.

At least for us, we already did that hard work and have PKINIT already
working within the DoD PKI so anonymous PKINIT is trivial. But even
with the kpServerAuth flag you still need an EKU that is not in "normal"
commercial certificates, at least in my limited experience. The
frustrating thing for me is that in theory you can have the DOD PKI
issue a KDC certificate with the right extensions so you wouldn't even
need the pkinit_kdc_hostname lines but unfortunately the ASN.1 encoding
for that ends up being incorrect (I tried to get them to fix it but
sadly was unsuccessful).

>Furthermore, your applications have to be written for it. They can't use
>the normal krb5 API calls for getting a credential from a password. I
>actually wrote a LD_PRELOAD wrapper to make a normal application work.

Right, that was the OTHER piece I didn't quite understand at first
glance; it seems like the actual implementation was 70% complete in
terms of actual usability. At least I didn't miss anything there!

--Ken

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor