novaBBS - comp.protocols.kerberos

Re: 2FA with krb5

<mailman.0.1633583144.13936.kerberos@mit.edu>

https://www.novabbs.com/devel/article-flat.php?id=160&group=comp.protocols.kerberos#160

copy link Newsgroups: comp.protocols.kerberos

Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.pch.mit.edu!not-for-mail
From:
Newsgroups: comp.protocols.kerberos
Subject: Re: 2FA with krb5
Date: Thu, 7 Oct 2021 05:05:33 +0000
Organization: TNet Consulting
Lines: 82
Message-ID: <mailman.0.1633583144.13936.kerberos@mit.edu>
References: <5ee92454-ec38-d5de-5b36-4b2d87fd7f@prime.gushi.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="pch.mit.edu:18.7.21.50";
logging-data="28522"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: <danm@prime.gushi.org>, <kerberos@mit.edu>
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=VZpcp7Ln4GLRaCpC9BxztDcmMmWjrG8DGvhzoBJaIzgH4UgBdGGcOwsrgDDKnLuvqMh9pumzfsBENh7mUhKAEkAcXm1sH2OvREskfhcejJlo7QSUaWURFYFOCovab+koPqmchUw3uXEonWty7WtGxMrYmpeUD8EkoG6MAeBWtSuYfqpx2PrTfAfbYfFnA9EHhXTUPW6xJXV+L36XPepS3hq4FUP/4CYeRZKOIGAPay/mz7+JE+aYFRuHFehZfEcu+C3DuJzHiux2mN1mvzsEP7UnORH3Ty/RGy+emvstO72173CbHNij9S6ndaXwABe2v20O/lm7OBC/Bp6oo0Riqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=1PtcLw3PvwiMCNRLvRYMzXF0oTRCHaVGJbVucQ1Xm94=;
b=Lpd8gi6hANzFFEdV9zs0PY1E/r9Hh7dprTz4kvVuE+CyVdw6E4U4pmrwmz1vnkaEi8xHwx84LFSBOyO0Ao1Dn4xIVQhlEp4rDPnfQEke2ZAd2+4sba9KvHdwibauZLWaBxggbv/W0YxpvZxWYQgC0S/yEp/kPI0jcwlPA+VEAjDEQAyNVYEFThn2CvvpJ6TdIEqrgDIPPBcFshHevSbnF9z5i43kQ6zvpVXpbPob9U8jpqJ33vH8vMaTZot3C015VSTRtLRHOS3OHJhGfUg+dH3jK7ZONxZuhH7MamiXbxaOmKsGXM4CYZjipLy9rfYu2oZdNEPsUkYl1tiUCAhd2g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=1PtcLw3PvwiMCNRLvRYMzXF0oTRCHaVGJbVucQ1Xm94=;
b=EKOegTv9TvPF7Hybl3AzCIODJ5v0/RskzwwCZMa2g5AuXxLy+4+bc9iWm0zei/AGBkl6PLwK35h+YPKXM2BINL2vRPMvVBy23YwB252truk3kEi9ZFAHcXx2e1N7ASJ20eoaxengsGmG27dbXqyv4QYniaq8MqmY7KpXFGMYP+I=
Authentication-Results: spf=pass (sender IP is 217.169.235.200)
smtp.mailfrom=mindef.nl; mit.edu; dkim=pass (signature was verified)
header.d=mindef.nl; mit.edu;
dmarc=pass action=none header.from=mindef.nl;
Received-SPF: Pass (protection.outlook.com: domain of mindef.nl designates
217.169.235.200 as permitted sender) receiver=protection.outlook.com;
client-ip=217.169.235.200; helo=mx.mindef.nl;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mindef.nl;
h=from : to : subject :
date : references : in-reply-to : content-type : mime-version :
message-id; s=key01; bh=1PtcLw3PvwiMCNRLvRYMzXF0oTRCHaVGJbVucQ1Xm94=;
b=OwJ5wcM/uC/JdHzeU/7hqplb/4WfDP1cskbSWnT7lC2gyMKmsqYMbFDvlIKpqg5T+IXG
lpKmmdk8ed7HerKiN9lUviLXdlGnu/pI6xdQbvBlMQUf199bBBBvgLwoy1dP8t3QN4Ge
YBvsLikZxq+b8PXtC9NvbHE7ix1sziV0gSxUhP0n+t8E0fyGP+5rsbEfLXaz+LhQpNgN
2kkBba//2HVvDkcuqvtAwSf6zDn6+ssqCIvFu/cYNKf4ciM2LPRJIPZFZPPGqhlNFUhs
gDpfKziSrhQHunz/ftAe4uzDoIzGxDmXw5w8uzMowcvEPKib/wj00t8aHroNJbzjPcIL
CA==
In-Reply-To: <5ee92454-ec38-d5de-5b36-4b2d87fd7f@prime.gushi.org>
Accept-Language: en-US, nl-NL
Content-Language: en-US
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 74de014a-2807-460e-6061-08d989501927
X-MS-TrafficTypeDiagnostic: SA0PR01MB6235:
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <SA0PR01MB623557D1BF769351EC9028C197B19@SA0PR01MB6235.prod.exchangelabs.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:6790;
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: TDAX2x1YHXR+rFWPC8cvnUKmlWzaNZJZzCuQeUqNHKSyeIVxRMO8kwV9t+WgCdWVIlGCppLWcl1WuPLdEPanZqgFrBXBjzSecBTRG9Wx54xAvZ2X2jv46covagdX0oG36RJdUKInwbzPV2bFEFIGWEQt9i8kLC0ZBgntaW1C6ED4stRXf/eJVg6brPZVLE/2swbvG7jzQ/6UlhUsavikr3zdMKysoKIFZQcpkOmhIxHS/wJ1u02sejNSmzOEyU7twlPhG/osmoeMjW8qymBjh+arYrcZyKduyf1hKwN+hg2iIa0nVTcRAFqyCTy8MbB+rnK73ZGdIMXx0BtdtboyXID9cxPW226oN7fMdNz5jHWDuSuhvFHOgRQLYeSX+PdW7LiaOgYJNxoeyGgcbhEJLF2mAMM70daC1pPwdhDj6GfOVBPEDx9fvjwG8WZhMkTNnwud5uTJtHWj/4LXs2JF5LmZeq44AQWKPicnWowQ/Lbzcg0ggA0l2zrjknS1AgmUoLS0xrCf0fNO8H8y8zqwsTqEdZHJbJuTBCBk6f04WhesMprxwd7mPooy6kwQSgLb65tNMu4qlTbzuw9ptFHYI+WTSixUj63rcgmoDt+e/ZQ/Xb7CvU67kxsTcwjSI1qxDSuVBoQO3NK2FVMYT+h8X1synoXNW5hdFwxfM8ee+nTqC2Dg3JUnhfwTHbNRSF4K
X-Forefront-Antispam-Report: CIP:217.169.235.200; CTRY:NL; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mx.mindef.nl; PTR:mail.mindef.nl; CAT:NONE;
SFS:(4636009)(86362001)(16799955002)(8676002)(70586007)(336012)(36906005)(5660300002)(508600001)(53546011)(316002)(2876002)(786003)(26005)(110136005)(68406010)(45080400002)(7636003)(9686003)(2906002)(966005)(83380400001)(166002)(356005);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-Forked: True
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Oct 2021 05:05:35.7908 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 74de014a-2807-460e-6061-08d989501927
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT015.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR01MB6235
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Content-Filtered-By: Mailman/MimeDel 2.1.6
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>

by: - Thu, 7 Oct 2021 05:05 UTC

What do you regard as “expensive”?
Strong 2FA with world-wide acceptable PKI can be obtained for €70 a piece..
If you can afford the time, and willing to do your own CA, you can lower it to €15 a piece.

The first can be obtained when applying for Estonian E-resident, https://learn.e-resident.gov.ee/hc/en-us/articles/360000625098-Why-become-an-e-resident

second one by buying smart cards at aventra.fi https://aventra.fi/webshop/index.php?route=product/product&product_id=87

From: "Dan Mahoney (Gushi)" <danm@prime.gushi.org<mailto:danm@prime.gushi.org>>
Date: Wednesday, 6 October 2021 at 23:18:51
To: "kerberos@mit.edu" <kerberos@mit.edu<mailto:kerberos@mit.edu>>
Subject: 2FA with krb5

All,

We use Kerberos but NOT LDAP at the day job.

We'd like to be able to leverage 2fa for some services (admins) and some
services (ssh logins) but not have to pump a 2fa code into, say, our mail
applications. Is there a way to make the acquisition of a TGT (for GSSAPI
authentication) vs Password Authentication require 2fa?

That's complication number one.

Complication number 2 is something like "SecurID is *expensive* for a
fairly small (<10) admin team."

Is there any reasonable support for off-the-shelf TOTP or HOTP
authenticators, i.e. google authenticator or whatnot? If so, is there
support to have a user have *multiple* available authenticators, such that
one can be expired and others not?

Googling this all gets me a bunch of (some older, some newer articles
about the varying states of SPAKE and the like), and...a whole bunch of
ads now being shown for startups that want to do it differently but I'm
SURE no way to integrate with this.

The final problem, of course, is that if I make all my KDC's 2fa-aware on
their own, there's no communication of double-use of a token, unless I
centralize things, which breaks the purpose of having geo-diverse KDC's.
I don't suppose the kerberos db replication mechanism has anything that
can also share this state?

This is all pie-in-the-sky stuff, but practical answers "just an FAQ" are
hard to find.

-Dan

--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------

________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.

Subject	Author
Re: 2FA with krb5	<J.Witvliet

The light of a hundred stars does not equal the light of the moon.

devel / comp.protocols.kerberos / Re: 2FA with krb5

devel / comp.protocols.kerberos / Re: 2FA with krb5