Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Progress means replacing a theory that is wrong with one more subtly wrong.

devel / comp.protocols.kerberos / Re: 2FA with krb5

SubjectAuthor
o Re: 2FA with krb5Ken Hornstein

1
Re: 2FA with krb5

<mailman.2.1633631802.13936.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=162&group=comp.protocols.kerberos#162

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.pch.mit.edu!not-for-mail
From: ken...@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: 2FA with krb5
Date: Thu, 07 Oct 2021 14:35:35 -0400
Organization: TNet Consulting
Lines: 10
Message-ID: <mailman.2.1633631802.13936.kerberos@mit.edu>
References: <5ee92454-ec38-d5de-5b36-4b2d87fd7f@prime.gushi.org>
<202110070127.1971R4KA032759@hedwig.cmf.nrl.navy.mil>
<835yu8agao.fsf@jochen.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="pch.mit.edu:18.7.21.50";
logging-data="23376"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Jochen Kellner <jochen@jochen.org>
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=OxCvoGqznKkXyh6JAIo0JQCt3zGAYbmBGyeaHzD3JcRvRZeY3j0IGWTsFTS5xjXpiC200ZKZlwgs7Chz+Sap4o8GcEFG7pmj/JghJZ8kGqb9YPywJvir+NQLUB2oeHdDjZF42iEQoXXRY9UwbGz/URE1CBRmcsh7v3/W/1nl7lvjXOXwckgzfH0wYNr5BxMLgNDVGS+lVX/MrwkEPMETT4UY7Y/6Uyxxzc0YajyHCRegaOf/fW7AD8IJAJZ78e4+6hv74Qj+UzYqbX5/tN4WzYGESILVUwzRdWB4xHzdCmEHDJHUXrEXDC2FyUjAQsK+3bNX4qAXJrH419P9sbaWMA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=RcHJm+We1T+y8tktiuPCnZkHxVsEg1pmBjgVITzjRzs=;
b=L/AaSxw/x2+x9yt41dULKA6OQ3rnD98GnOUvCxvUjZ4Nvsq6GZ68f2pXqgRD3JcAcBPuCHtkqkwh52s3N0l+EUykjkxH58cy5SUe9ajDpJ5+aRaPTIB2Ga9hvOCVzk3IuMwnItBuizNzCVnIhu8jdGwYVOGcpcgrD53H2UJtWIq0cCZOIq2CsS9jjUmFKoscIsH+UZoG4Y0nfqYUR4keUumFS49T9N6sl4v3WXL6fsXWlQVEvbzspl4GfH9kLckPZ6ZiGJhmRywo+jIt4DAg1CD/HDTrdXFfzsM2kBJ9TL1n1mhA5zIQzCI4VQ5+nUtA60cMat96wA7ARz915lRfbA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=RcHJm+We1T+y8tktiuPCnZkHxVsEg1pmBjgVITzjRzs=;
b=T/D8Sk3MGeB3xT4XBGtKLPobhSUXc1MN7rVLE44tPzY54OidnyVXS4sYFudlXosf12LgjPLYd264uK8T/kifjDnmeEq2Vuk7pV+T00otTQndhAQvjk+tlnBcW2GUk1+A1eU4QPf6iigOpwLfuKCWpG5xrDqwyXQoq/CnnqPdf9E=
Authentication-Results: spf=pass (sender IP is 140.32.61.234)
smtp.mailfrom=cmf.nrl.navy.mil; mit.edu;
dkim=pass (signature was verified)
header.d=nrl.navy.mil;mit.edu; dmarc=pass action=none
header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.61.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.61.234;
helo=mfw.dren.mil;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version :
content-type
: date; s=s2.dkim; bh=RcHJm+We1T+y8tktiuPCnZkHxVsEg1pmBjgVITzjRzs=;
b=XoFrPt2aX6rzKToqhNBuSO1noqJkhtMzt3Jp6Z2GmBYSoS9zxfM7DlIP02D8KYO89Yol
aXI+AMmoAQmlt0tUOZLFieE7VSZ/4HRbfNil36M5ggGuJahmmKlI6rgBQBozZQb/cygs
LiYR51EfZhIIZlqWdTzV0DDkOJvRMd6w3efMSZs9JYh4OjZrCZ3T037rizy/bViBGt/V
74wcfRe8Rz9LLtsKCXq7lnx1uYo4VJRiANBMfRJOTjGGSjxPq55voqXyvAxH60DJSdKK
Z3OQ7UIoS0R5lMH9P8W8Z9bi+v13KGcVVaaUnZuP2BUPDYxzXYWy+hDzVDEujHm2HWuv
mQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version :
content-type
: date; s=s1.dkim; bh=RcHJm+We1T+y8tktiuPCnZkHxVsEg1pmBjgVITzjRzs=;
b=Bcm7rgqUwrM4XN8B5oY7bjy1tlc7yhdmS5k6nQv84rb1rpUdMyWpJNROAB+uiOtgQPF0
Oo2++jcYE2OkvfO/0Ytlb8oN7s4VIqO1KNvCUPs3ojgbs/zkDUM7ZTeXL67Xj4oAkr13
cKraCqo0jCkd7IcSiiEraFlvRdOEtPv8tMs=
In-Reply-To: <835yu8agao.fsf@jochen.org>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK; C*}fMI;
Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned: No virus found
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 8f95cdb8-b45e-4c30-0cff-08d989c1554e
X-MS-TrafficTypeDiagnostic: SN6PR01MB4797:
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <SN6PR01MB47978DDBF8C8CFFD3E4EBE6AACB19@SN6PR01MB4797.prod.exchangelabs.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:6108;
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: O8/knD5vv0sV75EGHOeJfovT+QgHdw9LXSGwnjgFFir3hPJFFiVJAXDtQazjYOgttvZvA2KLQbxEL1jQ+ZGQJuY3FnM17efrO2JMcbauKm237qV9vmNT8/tc6P4qeuclO237rb0K7UUYwf4y9TFZPIZhgMWcivJIHMNGNvdsrkV37sDH9VnI24O4MG6B+y9+Uf01Gixxa5CU10P+A94xBEvid9p/4ak18tAu4fcF5l+3JDwvNSisSxza7DJ1w+MIVrBsWXvpX28fCxiL1eyeqXHm9BJFfDPPQjjIPUJoyZVXA2k+4d/AzD4M8XiHBC1FV3iecI5wdgBSAo1NjJ89YZl4zi/7fcoRtr/0MdQGqzfJk1X07NMs4ZFZW3Gxhp9ZkqrCddUncsAHBNj+h3VRqiKT1AKtDyxXadSMq+yymtOYHkTX7K7+qYUNj5jgbGfPKr5xqsvEBQowpAElrNBNIlhN3g5TMsBix4nV7q2AwNykeD/sitvhCT+RGxlvgah1Qa5w9Ro6j9lsqLs2HrGrrBYwGLtwd4TWDGWnn3kT1SacdJXbRY3WBUWo5UZaDp/dUgjtIya5DxyIEYgI/b+2CEBLVH73chnQeNJi2YMVdJbZk7pjy0K+JaHF+cm1DqZBDcCkvfM8w85hilNbtOf9N2HHjGt3zijjjN3s4mlLn0ToCqdaR1KpaM8K71UtEK3GaWckYlusFBhUBO1tQBu4Ow==
X-Forefront-Antispam-Report: CIP:140.32.61.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mfw.dren.mil; PTR:mfw.dren.mil; CAT:NONE;
SFS:(4636009)(26005)(86362001)(426003)(4326008)(2906002)(1076003)(336012)(4744005)(786003)(316002)(68406010)(6862004)(70586007)(956004)(5660300002)(8676002)(508600001)(7636003)(7596003)(83380400001)(356005);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-Forked: True
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Oct 2021 18:36:10.0378 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 8f95cdb8-b45e-4c30-0cff-08d989c1554e
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT051.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR01MB4797
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
 by: Ken Hornstein - Thu, 7 Oct 2021 18:35 UTC

>I've been running Privacyidea (https://www.privacyidea.org/) for some
>time to manage the tokens. Exposed the Application with RADIUS and told
>FreeIPA to authenticate against RADIUS. Had some rough edges, but was
>usable for me and is able to manage many kinds of tokens.

So what's the _client_ look like? Specifically, are you doing FAST-OTP?
If so, what client software are you using? Does this only work on
systems with host keys, or do you do anonymous PKINIT?

--Ken

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor