Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"Just Say No." - Nancy Reagan "No." - Ronald Reagan

devel / comp.protocols.kerberos / Re: 2FA with krb5

SubjectAuthor
o Re: 2FA with krb5Ken Hornstein

1
Re: 2FA with krb5

<mailman.0.1633693535.11892.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=171&group=comp.protocols.kerberos#171

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.pch.mit.edu!not-for-mail
From: ken...@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: 2FA with krb5
Date: Fri, 08 Oct 2021 07:45:06 -0400
Organization: TNet Consulting
Lines: 31
Message-ID: <mailman.0.1633693535.11892.kerberos@mit.edu>
References: <5ee92454-ec38-d5de-5b36-4b2d87fd7f@prime.gushi.org>
<202110070127.1971R4KA032759@hedwig.cmf.nrl.navy.mil>
<87pmsgpt36.fsf@hope.eyrie.org>
<202110071914.197JEXTD007325@hedwig.cmf.nrl.navy.mil>
<380d6720b77f3e741f334afc9fda20bdf75b68f0.camel@redhat.com>
<87h7dspq3b.fsf@hope.eyrie.org>
<09D80C01-53F7-4B2D-95B0-EEE4A9A0F191@prime.gushi.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="pch.mit.edu:18.7.21.50";
logging-data="14349"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Dan Mahoney <danm@prime.gushi.org>
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=bPRM1frq7kewJts9G1czR8JuCqc4N6QGQr0OSnZQqAmI8Nlp3W5yYH4DZeVSMaNoUkFNcqJ0nVIkr2uD9XobAWEd2NFdWx8Tg2egxtNse2gqsA0MWx1CjAsDzuU1Pi3FZDS9r8U3wnRtiup7A2ig6/hpdusvZQO4weWVTyUyC0tMMxnOABZ7Znig8JzH2Lx/2OVGwcFk8ojCZxH/9wx9oTqqAvWOGVyAucvQ6tyIJPfEgt3RyoqBq/xF8TaFzAw5/mls/dU3hXvbPCe+tUyxZSdRqaIFxJpoPYlwogKw/uDlhUqRIaJ18V/GNugAAM5K5gkYNUL7nc496iaVvjV7pA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=v66zopV4nboi7xajuBSkc4DsV+D7WimVECNbZYGEF88=;
b=T8XU3cE1iHw+X0SAKyYfZKgAL5mqsFb5aIvX4QrEvCTFq+wbq2Vj0SRsWeMz1aWZ4e1uFo6NHP8VjCzpXNFIMi7HlDGcStCTVZlq9keraQWOsDtcwyaM04HYXA7oAyYRYcRp/gaKOxBK00c1wPSOj7I3y+WaElX3hxHKQvcI8h1/kKV7t4fnEN9TKiI8aF0lB6GW6t2M01PLmz5/X+clp5a4WfyZjSjo3gcE+aCEs2ata+DcRx8hjNw7lZFdHFIjnDM3YnhqLBioFquL+ULOYWWF7RXgbv3Gn541JL7O+HZDsWaUhWwxzi8ZfqEYchAZeBfSC3cuZFf2VwGXb91WXg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=v66zopV4nboi7xajuBSkc4DsV+D7WimVECNbZYGEF88=;
b=H4aIDDtwLgnkQxNik+dO036NCSMrRNZvAwFDcpAfVFF0YtFBGJfFdCgBzLnpss8E8y7aDi+RmRWe++ptd/TBu/rYOCVNwwMgAv5uF3BDHW0RJEwJSwkK2zSkr36svY1uoWyCMZc3mofAK0+RVLb0C70nfsHJPg09qugZRoCbJYY=
Authentication-Results: spf=pass (sender IP is 140.32.59.234)
smtp.mailfrom=cmf.nrl.navy.mil; mit.edu;
dkim=pass (signature was verified)
header.d=nrl.navy.mil;mit.edu; dmarc=pass action=none
header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.59.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.59.234;
helo=mfe.dren.mil;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version :
content-type
: date; s=s2.dkim; bh=v66zopV4nboi7xajuBSkc4DsV+D7WimVECNbZYGEF88=;
b=af2sOmorgrBlF2knw+RjcrBxs525TqA6DYInRMMyo6vmGvSJsvfhI8gBL6TdRF5UzXEb
pIgyEHCloEzEuJifcQUxdeIqNTUiIXhv3Qtwqug3f5FgeaqWDq9vFnMFqz14w1aKEaOl
nd+fWBkecjL0w4wKUrt5koL3uBkjJbnp9bXROXeqslT65mGFAQ2dJ8bsxUpIi5l1fCzU
GNKQ+qwGUEmSAfe5mO4GJXPsF8IIjRtUbNUupAzZYVfkBtuGN9YatBxlF0rHe/v4JvDg
UDRYB1kFb9IJpkLcWszSW71FwjwgJNq1NqgrqlQ/k3gpLVO2mZE3hgWTc20+K9mgEvrY
6Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version :
content-type
: date; s=s1.dkim; bh=v66zopV4nboi7xajuBSkc4DsV+D7WimVECNbZYGEF88=;
b=CFvjaKilUKQ67/QuGUNGPacwuXAqzG0HKmQ6DQkHoaPGlCswLNj8d+mSifsaYBOorR4N
zbtl9BFvrspAoo3RoLGGRKy/1KV0iY2BSIm8BpXgdp2HorS45Mds/1WVh1xgFWtdNvGg
ddqd5WIvJxjWM1BYPKhUIlfXFziDo1xgQ7Q=
In-Reply-To: <09D80C01-53F7-4B2D-95B0-EEE4A9A0F191@prime.gushi.org>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK; C*}fMI;
Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned: No virus found
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: dc1373ea-479f-45e8-0975-08d98a51183d
X-MS-TrafficTypeDiagnostic: BL0PR01MB5140:
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <BL0PR01MB51409717F287D1D8563F3696ACB29@BL0PR01MB5140.prod.exchangelabs.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:6430;
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: qG3v9VvBRSdgU3Mo4yFT37qVgpHQs28c9jL6snz/xrK82cKvT//E1yGLRRvQu27Nfl5Cbni05gl2Rh/0B9AyjFaa0xsjptbJCnStqLMngTPvyDncH0x/Ic/0vWTiCj1pJEUS8hghCIgLVC+8nSPUw1LKK8xjZ12G0mlgUXgihjz3poE7YZSQfQYstiBIGj6UUWd7RZoVKdabDez2MA2X6o3j4RZ7LLCkq+vWo/p9/AIRu2gOv8xVJG7p4nSSQNVOExOqKPs0ySE+NWRVd8IcptitL8B594t9mMGP0UgbLKVESPcHF56stWSLGr5UccKxoZuoGFyIgCTL2pKIK2soAGyGVCVOzH4TybSdOUCprc9IgAlTO2mR1Jnjz7bgWwO8QoRsw1ukgh2DjMkYA0esWP7uI95gkajjyMHZrq+SFUx3I/6oPruLrN3jD4IbuggvP/3FP4uXnS/sAYMKPPpqUXQ9yfA6c1p5WiIfDtgIFEGzcvf7+06k81pymIQ0qz5QhA1+Cm89D7XPtRg1y5W4s2bcU1QE2xWq/J0BfOQaQgIxlb+fuRVCy1cZwQCv8UuY/g2c1W8Nn0YlSF18aGFjf3mgoK7eQ1zIewbadznkkOTnDSyO4Rq61G/z/3CK4yhy
X-Forefront-Antispam-Report: CIP:140.32.59.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mfe.dren.mil; PTR:mfe.dren.mil; CAT:NONE;
SFS:(4636009)(786003)(336012)(316002)(426003)(6862004)(356005)(508600001)(2906002)(4326008)(8676002)(7596003)(7636003)(68406010)(1076003)(5660300002)(70586007)(26005)(956004)(86362001)(83380400001);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-Forked: True
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Oct 2021 11:45:15.0912 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: dc1373ea-479f-45e8-0975-08d98a51183d
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT022.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR01MB5140
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
 by: Ken Hornstein - Fri, 8 Oct 2021 11:45 UTC

>I mean, this might be dumb, but why not have the kdc able to speak to
>pam modules directly?

All of those things are "send me a 2FA token and I will verify it".
(Also, the pam API really really wants to talk to a person, that's
the whole point of the "pam conversation" functions; I don't see how
you could make that work with a KDC).

Kerberos is "I am going to take your password which I already know,
convert it into an encryption key, and use it to verify your Kerberos
request". Kerberos needs to know the password/factor to make that
happen, where the typical 2FA API only tells you "is this token good
or not?".

I am aware of one site that a long, long time ago had developed code
that you used the 2FA code as the Kerberos password directly; I never
thought that was a good idea myself as the 2FA code never had a lot
of entropy to serve as a good encryption key, but it worked for them.

If you want to use something like TOTP, then I think you're probably
going to have to write your own FAST OTP preauth module. Which is
doable! Although in practice it seems like any preauth module requires
access to the MIT Kerberos ASN.1 decoder/encoder API, which means
an internal dependency. Sigh.

Sadly, at this stage right now if you want to effectively use 2FA with
Kerberos you're going to be stuck at the very minimum reading a lot of
source code and protocol documents to see if you have the application
coverage you need.

--Ken

devel / comp.protocols.kerberos / Re: 2FA with krb5

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor