Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

They can always run stderr through uniq. :-) -- Larry Wall in <199704012331.PAA16535@wall.org>

devel / comp.protocols.kerberos / Re: 2FA with krb5

SubjectAuthor
o Re: 2FA with krb5Simo Sorce

1
Re: 2FA with krb5

<mailman.7.1633635352.13936.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=167&group=comp.protocols.kerberos#167

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.pch.mit.edu!not-for-mail
From: sim...@redhat.com (Simo Sorce)
Newsgroups: comp.protocols.kerberos
Subject: Re: 2FA with krb5
Date: Thu, 07 Oct 2021 15:35:41 -0400
Organization: Red Hat
Lines: 50
Message-ID: <mailman.7.1633635352.13936.kerberos@mit.edu>
References: <5ee92454-ec38-d5de-5b36-4b2d87fd7f@prime.gushi.org>
<202110070127.1971R4KA032759@hedwig.cmf.nrl.navy.mil>
<87pmsgpt36.fsf@hope.eyrie.org>
<202110071914.197JEXTD007325@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="pch.mit.edu:18.7.21.50";
logging-data="11299"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Evolution 3.40.4 (3.40.4-1.fc34)
Cc: kerberos@mit.edu
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>, Russ Allbery <eagle@eyrie.org>
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=T4p5/382CbJ+ipBrnkV7aSELXqbDzs/UIrKwGStOCjD3FX9xZnm4hgEIcwQTbhVlyNoK3TPvSz8hcvIX6PBKWxrr2d07B5OUoJeZoZ7eX+6lmxRdhj0SUJ1nIxDRXEU3Ey7sCyEXSV70DP4gzp6XFpZNJdm53hcl2mD2wPMHL7ysDcaSa0hV+gmXd4+qCO6gONiqSra3OEdcgSVDqbepYUli8ZFEbpUU3Q3JY83N0PH37vdDFMHRtlbxz3CDWaItV9GOjsAM8WP+tQpjsOBeLL9wiNYx33rtwMnuiZZOCTW+LeSHhUx5SeHZKN1yrX1EIddIJt/E1Cl84v3ZSl/8Yw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=eWX2IKNeBSkbknkuqRLcAgVZF/KChQT3rKJGtzBWyiU=;
b=UPXqOHU1MwG07qGnzI5xtBGF5Q0ymSaWOsM0QjfcmVAs4odJPe5VEYFPTfBqzddKUMbJjxK4XOwunt0nF6YyvUUKHT0wJvpKS8k1Y1zua8AYHJZF15pJu3TduUeDKybHlN/tPOnIcvDTb/PXHB77BeDzg/A7VvJDs/52cvKPWOriL76eXSiSh7kEvgKzdMwSMRJZYYyZs4KblZlx1QQ6FtKXAdN42MLoGJ2rro6aOErFckCqDSKes7npvRP4y38uB1JtVwhSupvkO8kty6rwUDJHbLOMCptqzvNpjoK2dMMxMbLgf0y5hCArouNtcsubA2dnro9DsbhKV9WioPSexw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=eWX2IKNeBSkbknkuqRLcAgVZF/KChQT3rKJGtzBWyiU=;
b=WyWGNNDQuF3pD54NhsDhn62M7mw27TemOs2Qv6JOP6Jol9XFoX/PRs03YgUnlXr11RuMgb9fJEAPoby2sW3GoV8KAymOvwrWW18p/cVDP3NexoULcFfHslC+03j/UjstdeAyuwFteUFU49OGY6hZlIFRtUe+fwho5DVQH8y+m5I=
Authentication-Results: spf=pass (sender IP is 170.10.129.124)
smtp.mailfrom=redhat.com; mit.edu; dkim=pass (signature was verified)
header.d=redhat.com; mit.edu;
dmarc=pass action=none header.from=redhat.com;
Received-SPF: Pass (protection.outlook.com: domain of redhat.com designates
170.10.129.124 as permitted sender) receiver=protection.outlook.com;
client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1633635344;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=eWX2IKNeBSkbknkuqRLcAgVZF/KChQT3rKJGtzBWyiU=;
b=OKQXDODQxtN/++5JgKdlsmOiY9/6TanxrQRuqr4o4+rqbFRCffo8XLadS+nEBOFOoQDhc2
CoLPDmnnxmWsPOELsZCPLU9nsKnYLgeesA3WYUBTKX2ZfPFl/VefhKJpagq+ktQ4L1mzAH
GHLQEZVet/6C+uIRIxP4qnzWqqVpDLs=
X-MC-Unique: Afr2ZbXqNg2riu0qZeHdvA-1
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to
:references:organization:user-agent:mime-version
:content-transfer-encoding;
bh=eWX2IKNeBSkbknkuqRLcAgVZF/KChQT3rKJGtzBWyiU=;
b=LXi+UfvaF4nzdPAQ7Zs2Pcv4h90jC69nWHRHByMW05JkUAqRYZFBVNSZW0Ratxrvlj
iuxtvKK9aMsZEUvLM24I7I0vBvfsOigsAEAoFXEgsoiRDQLBhDlyXHJdaf/EmTRcIyQu
FyDGP+U+IG8rEYTmZpv9wPMtfR8CwEBzyQ3wEttOOpcyZuLrs1aqnyiPtDQAwQfSj3Ss
uog39pHx1IpYy6Z3N9gOE1ho2AmtTQRfYVz2xU8BkpbQeWaePMN95Qc7MIZOFnwhLFE2
PavpkYpVysLOY+hNhjh90D3VKFqQCveZG26OLHRkyLyqYLPQa2eVKavyParCzbaG+sOT
Z9Kw==
X-Gm-Message-State: AOAM531n0xVx+XDOvaKRu3+fVbqlCPX+xfL7eMKnACWgizv32OcAqeTW
7kFI1Ie10izmClActD9GWp5wKdrBSsDYCTS/7MLVZWzyjEQ/fbtJ+ZleYgbmhVipAmaoroKQrTc
6jdobDo7B
X-Received: by 2002:ac8:1e95:: with SMTP id c21mr7237638qtm.412.1633635342441;
Thu, 07 Oct 2021 12:35:42 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxrDYfctuqVcHmg6cFY/KJmLwCR7bO53PLo+4nU4TydEmDpZP9LghHxl7gL/iOAv8ChyQ7Vxw==
X-Received: by 2002:ac8:1e95:: with SMTP id c21mr7237629qtm.412.1633635342222;
Thu, 07 Oct 2021 12:35:42 -0700 (PDT)
In-Reply-To: <202110071914.197JEXTD007325@hedwig.cmf.nrl.navy.mil>
Authentication-Results-Original: relay.mimecast.com; auth=pass
smtp.auth=CUSA124A263 smtp.mailfrom=simo@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 3adc35af-4c3c-418b-9608-08d989c9a7bd
X-MS-TrafficTypeDiagnostic: PH0PR01MB6454:
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <PH0PR01MB6454A01BCF6C63CAA5D2B90DA3B19@PH0PR01MB6454.prod.exchangelabs.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Y1l+WXwLXZPhpzhArpHe9LHrtCuVro7o/yRRMWUVe/+QZyDSTQyTpYQRAg6PV1Exhe16LvWCGdRXvMfPL5+TY/Mph+ztBI3qQMgRiG1CNftOHTg+uAlKhsVRzCg5/rD21gb296YrCht4xwBJ/i191tYQMu2j8558XkFt0Cj34vRyYS6qCvRYMX1Q+SrzbrOiUjmCRNWwX2Jdmx1scWwgvN1VnfxNEqdKMc5XspkVoY14KpGjD+DCzDfGregDtW9ygAgo9qlfueUc0lrnPkK36fSKtdOlaTbNlsZc4IqZxdLmGbn1TIEiXKyFrmwqZScXlf06aJZ1UkCftCo4yEl7kYuxB04Y519HXS3Umus9Bc1H83HMblx69CROBOF90pddxgC8IiJxesnswjMhZ/SK7crxHApa9DuvAXQnHd3FsHBT5QJ1Leui6nUbwdpilJhpLjE7W0O4YZTRS6wcDFmaFAsV1OHrB0MTRuV50bYsgXrZeg/5oNhueZbizyQN6aBDfxxY+PPCnafT3KxyajPGsw+FzpUFPdHk9ytdgYhOxOajLWdm9U/8tJDAOr6jPBKf/XwURQHXUMWVrCp/gmz/GPxobjTk48hHjlxrSvKqo8E=
X-Forefront-Antispam-Report: CIP:170.10.129.124; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:us-smtp-delivery-124.mimecast.com;
PTR:us-smtp-delivery-124.mimecast.com; CAT:NONE;
SFS:(4636009)(8676002)(110136005)(68406010)(70586007)(956004)(2616005)(786003)(36906005)(316002)(508600001)(4326008)(7696005)(36916002)(36756003)(336012)(26005)(5660300002)(86362001)(2906002)(356005)(7596003)(83380400001)(7636003);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-Forked: True
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Oct 2021 19:35:44.4748 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3adc35af-4c3c-418b-9608-08d989c9a7bd
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT059.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR01MB6454
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
 by: Simo Sorce - Thu, 7 Oct 2021 19:35 UTC

On Thu, 2021-10-07 at 15:14 -0400, Ken Hornstein wrote:
> > Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
> >
> > > I am not sure of the client coverage of the OTP FAST factor,
> > > though.
> >
> > For what it's worth, although my pam-krb5 module implements FAST
> > including
> > both keyed and anonymous FAST, it does not implement FAST OTP.
> > This is
> > because (a) I didn't find any documentation of what I was supposed
> > to do
> > as a client (it's been years since I looked so this quite possibly
> > has
> > changed),
>
> Huh, I _kinda_ thought that if you had FAST going, you got FAST OTP
> (on
> the client at least) for free! Which shows what I know. Maybe it
> works
> already and you never tested it?
>
> > and (b) attempting to set up a reasonable test environment
> > looked painful. In particular, there was (at the time, again
> > haven't
> > checked recently) a lot of hand-waving about exactly to set up the
> > RADIUS
> > part, since MIT Kerberos just treats it as an oracle.
>
> Right, THIS is actually a huge problem. Like having to set up a
> RADIUS
> server? Ugh. It's also a problem for development! Like the only
> way I have found to effectively test preauth mechanisms is to do
> testing on one of our replica KDCs.

Starting an ad-hoc kdc is pretty easy, I have it done in the make check
phase in many small projects, including starting an ldap server, I
haven't tried radius, but hopefully starting a freeradius server is not
exceedingly hard either.

Simo.

--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc

devel / comp.protocols.kerberos / Re: 2FA with krb5

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor