Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

C is quirky, flawed, and an enormous success -- Dennis M. Ritchie

devel / comp.protocols.kerberos / Re: 2FA with krb5

SubjectAuthor
o Re: 2FA with krb5Russ Allbery

1
Re: 2FA with krb5

<mailman.3.1633632654.13936.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=163&group=comp.protocols.kerberos#163

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.pch.mit.edu!not-for-mail
From: eag...@eyrie.org (Russ Allbery)
Newsgroups: comp.protocols.kerberos
Subject: Re: 2FA with krb5
Date: Thu, 07 Oct 2021 11:50:37 -0700
Organization: The Eyrie
Lines: 25
Message-ID: <mailman.3.1633632654.13936.kerberos@mit.edu>
References: <5ee92454-ec38-d5de-5b36-4b2d87fd7f@prime.gushi.org>
<202110070127.1971R4KA032759@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="pch.mit.edu:18.7.21.50";
logging-data="29345"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cc: kerberos@mit.edu
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=bKZyGHwphCGNZU2MdM9+2XzC0FBY0pg6UUOb9NpR17mRJd5ZpO7+t7pE/zwB9cUEHlvpZQUD+j1HbIIjvBXPy1PUHhclqsfRc/DTVV7KODryDDejuuUBL3fDJqxLA/uYuE540tDRDA2Y1hyeCFzhot3ehbOTHy9dVJR3g/8ET9DEl8etrJq5wIJxpBNm1SJjFhs8pG5PbgplmkYxBnuAaga8X11hI85hd8ozPPuLwGM9OTHnfS7mmfuHx67Xpd3hb+EoXdj5vzZc9k5l5wBF/GUe2PzlkDmphgSH4jtNrOowXM5Qh2X1kZjf9vvYj2V2dmUR5jeY0WxI4+1XYcy06w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=5JVAqHuBre+tXnmYSadIzJctTDCBMAWhSGkXtCvlQgQ=;
b=Ou8P7oDZ+ih/LXilmfKQg9nwpuBJYccrRjYDvams8iJBIJzqCPstDm7d1TSWGArQ1jFr8X5l9V+0kQeEJb5fu72yan0C1Kf70J+oi9jv29SMw2lN4PbMQm87tFnLwWne2Ra7nRXrBxmoGB3YX8s0dJBQ6G9+xQtwGR74Bz1Ijm0iahjPFI3byj1Om57lczafx6oeXcNZ99ae1Di0it/mghyEcAFRYcToWQ/40/2wGd2kTgTy/6/F7oUN+aM2sjm2LNZrkHVRYUy0Na1seInxgrbSZQ2Un+O2YHIt/xvsjAaI8j2t3avnFxIMgPmHHQ7RsYFZa9h/85dpZvr28sJiBQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=5JVAqHuBre+tXnmYSadIzJctTDCBMAWhSGkXtCvlQgQ=;
b=Jkc7cz4jLOP8OmMvsJxiDGiK/ReCodO6WZlC5aCkmuGGAd5M3BttlCt6J8LIWRMK+qViXqKyh+3nBMZVVxfRsG8oX/2DB8M93mRIAssxhws1fVSU/EY3s8Y01aMJdvqX0051NKWwurDsOLmSKvz7Yv1hg6NMIQbvk+EhtLsctVg=
Authentication-Results: spf=pass (sender IP is 166.84.7.159)
smtp.mailfrom=eyrie.org; mit.edu; dkim=none (message not signed)
header.d=none; mit.edu;
dmarc=bestguesspass action=none header.from=eyrie.org;
Received-SPF: Pass (protection.outlook.com: domain of eyrie.org designates
166.84.7.159 as permitted sender) receiver=protection.outlook.com;
client-ip=166.84.7.159; helo=haven.eyrie.org;
In-Reply-To: <202110070127.1971R4KA032759@hedwig.cmf.nrl.navy.mil> (Ken
Hornstein's message of "Wed, 06 Oct 2021 21:27:04 -0400")
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 2abf51e5-fac4-4584-71a8-08d989c35be6
X-MS-TrafficTypeDiagnostic: SJ0PR01MB7493:
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <SJ0PR01MB7493C238015505133C4AD9E6A6B19@SJ0PR01MB7493.prod.exchangelabs.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: fRneMpV8TFR3CW1Lq5kLZcLY8ZnUkANvs9HSLb+jSNUI9swpyZaFBWdtDrYcea/1c06YyA8t3r8mC03vm6DmJ/85e/yJVXij4qA49QOVJyae+YPN7+Q9Ct9VBkhM2Xc4gI6HavmRNnRaob2Egwev8nyTfE9e0T+GUkIJO3+BMLeqBb09aQ2FIfNxSJwmjtxcJsTtZqqEhegmBVKiiZY89y5WV39LmnkMVNNvqhUYqTn2rI/JSKZtWxRrphKeDavprmXicpjqDo5iOVEPUfYbxOlFwp/iNUN3T4WzlaYInNdW/z28u2GDAwGky57v64LIrbC7hbwKRDEYadU7XFGDAjH7D4uuEQ0abcsOmaoYWEvPuehxfYkI2MFvUgvtvM/rfmAl9hk2ABmjveTN2el98v+ZbKSPxF+U+kyy1KKYLgPQeCdnNGNr5J3iD11T5S10XvZGcvrRz6wc94LbUftPrhtE3VBbm1oHijzU4L3s3+cEGX0TO4/byt1Tc+PnlpEbcYK1lQLZZGhV0ei54BLg9xhkpW/5r1gD3oCahKEeaI5o/Ci1bSgqbacob6BVZQNkfsb6pNRgw6MquIl2OQQxs5w8OVaR4NiZeZH/drkOfjiBcblOaT/CmSPMIV4djFGyH4VDlarF94S2YGFRVVzLzQgkCFHziiFAdXrjKYnGuszumsjzt5frrdDoDvJQSMyR
X-Forefront-Antispam-Report: CIP:166.84.7.159; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:haven.eyrie.org; PTR:haven.eyrie.org;
CAT:NONE;
SFS:(4636009)(356005)(5660300002)(786003)(316002)(2906002)(4326008)(42186006)(68406010)(6862004)(7596003)(7636003)(508600001)(86362001)(336012)(36916002)(83380400001)(426003)(8676002)(26005)(6266002)(70586007);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-Forked: True
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Oct 2021 18:50:40.0994 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 2abf51e5-fac4-4584-71a8-08d989c35be6
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT043.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR01MB7493
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
 by: Russ Allbery - Thu, 7 Oct 2021 18:50 UTC

Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:

> I am not sure of the client coverage of the OTP FAST factor, though.

For what it's worth, although my pam-krb5 module implements FAST including
both keyed and anonymous FAST, it does not implement FAST OTP. This is
because (a) I didn't find any documentation of what I was supposed to do
as a client (it's been years since I looked so this quite possibly has
changed), and (b) attempting to set up a reasonable test environment
looked painful. In particular, there was (at the time, again haven't
checked recently) a lot of hand-waving about exactly to set up the RADIUS
part, since MIT Kerberos just treats it as an oracle.

I haven't checked if sssd supports FAST OTP. That seems much more likely
given that they probably have enterprise use cases that would warrant
implementing it.

I'd be happy to take pull requests since I try to make pam-krb5 reasonably
completionist as a hobby (although be aware that it's a purely hobby
project at this point), but they would need to include changes to the ci
directory to set up the KDC and RADIUS server appropriately so that the
test suite could do a proper end-to-end integration test.

--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor