Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

There is no royal road to geometry. -- Euclid

devel / comp.protocols.kerberos / Re: 2FA with krb5

SubjectAuthor
o Re: 2FA with krb5Ken Hornstein

1
Re: 2FA with krb5

<mailman.1.1634334594.15600.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=180&group=comp.protocols.kerberos#180

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.pch.mit.edu!not-for-mail
From: ken...@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: 2FA with krb5
Date: Fri, 15 Oct 2021 17:49:42 -0400
Organization: TNet Consulting
Lines: 14
Message-ID: <mailman.1.1634334594.15600.kerberos@mit.edu>
References: <5ee92454-ec38-d5de-5b36-4b2d87fd7f@prime.gushi.org>
<202110070127.1971R4KA032759@hedwig.cmf.nrl.navy.mil>
<87pmsgpt36.fsf@hope.eyrie.org>
<202110071914.197JEXTD007325@hedwig.cmf.nrl.navy.mil>
<87lf34prw2.fsf@hope.eyrie.org>
<66D2C934-E3FF-4A81-9576-B32396A98000@rutgers.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="pch.mit.edu:18.7.21.50";
logging-data="27353"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Charles Hedrick <hedrick@rutgers.edu>
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=XbEl5KeDe1xyy15/DzWUNAmf8jB6pwt5gjglze32Mx2OGTCihBnz2+x77biaz6wDGL8XvyPfGk0mYQ/In9sBBVWOoFPHAJFHq5GGK5Z1Sx9OWQ9XLj3Ayfln9P7Kb31BZZuYNy9zRFutSpWzKN0VQ7hvElV4R+n3iXXp3W4nsmKMVkrHAKVCvnTgxn4HlI81OYkoGbqISY9UkYT5ZOJ7E8lu0RHhq71NAav/px0xU/T/yChYE5xu5g5DmEOef7/lGuH7r0SEhJNTfGKKe4MVMCOrSA7uhWkrDTiU351M4rwy6Hf1MqiD91KNIW5mR/fJ2myw3qj0nOUj2BRAgE0sCA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=suSwGaBixw6H4v2gUJyU+6xV9rqXAvi/L9cLJaNwFP4=;
b=Cu0QanUfWm9XSN7WqCDBSs8PJNd9lsgwbV/EYkcbpcCeBTbTsxeTPxv5kfQi8RClOJXi+N1sED4KjWUrKyIN0X0PG9bL7ACpbfS0Ur1yQfEoWfG84ktjkoU9yoPNlAcebKIoC+tEGXiNhES6KtSQiQlK4ZL/qH9vS4znXxezTLnfKnz5KI5NxWZofORldcdXj47uplBsAtnvl3+up8X8tjuoDfgA62xNN3JVxrHi1A3wasYgeTm4YMhk49LMsm2ibT2Kl2+zDffx8+xN8ReFIm3gk7DYNXBK1eVPym3PX7daEg8NTU7Br4OXv76gzANdhIYReASKsy8WQNBHLcfvxw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=suSwGaBixw6H4v2gUJyU+6xV9rqXAvi/L9cLJaNwFP4=;
b=mfRWljfQmfG/BYEjxQiuc99N+wlTqzKgt/aJcsRyB6Gsvd7IeUYt9j/zCWrdS15yn0azTsMIBP8yjXlSH3KSV1mHfTdGaSoZc3JFytn49Hsr0veclwx4CTBrJ1Lbdlao6/tJYXn9vtP5KBEHeudqYoMq3AHkKfbbKpuk3Yr7mIE=
Authentication-Results: spf=pass (sender IP is 140.32.61.234)
smtp.mailfrom=cmf.nrl.navy.mil; mit.edu;
dkim=pass (signature was verified)
header.d=nrl.navy.mil;mit.edu; dmarc=pass action=none
header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.61.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.61.234;
helo=mfw.dren.mil;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version :
content-type
: date; s=s2.dkim; bh=suSwGaBixw6H4v2gUJyU+6xV9rqXAvi/L9cLJaNwFP4=;
b=pQIhDk7t6Xu19EbT4pUMq4/8DEfdfa4kFMa+3TrGBJUdr0793Y5+7wMvjkxoffZsApma
dY6+IPZkQczdWAkpegH7FBooOrsIPgKZADOYR51Oq5wh74ivyACvhgI8T77UbZjgH71w
mmcta9YSX8PnVbPfkn6lEFXhEzknZsFrlDzdBAK+yXR8sL8YzxtVDVJxxiPxH2mU7I2k
pUWQU/fBrmgktyYm8bL47IMmD9xl8wXWF9TX7SgKuvHxTz2dDSeYDpvu59efZV6YW1u8
uL7dEedN+wH2TjEy/52A6s/W29Ql/O/YtFn0lEtReI7QuWNfISIy3s7hRIITClctIi7c
LA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version :
content-type
: date; s=s1.dkim; bh=suSwGaBixw6H4v2gUJyU+6xV9rqXAvi/L9cLJaNwFP4=;
b=th8zc2xRikyVQDXJZV5IgVdHgRMSZW56E2WSlKv/s1AKbHK1ikYBiqm3DAVBA+Lswxk/
oUZjRXBswTL7M5pA1andnTUPX4j81+CiI37avCp82oz6Jk+ag0rJMTFa6uPl4+lxV7Sh
HihkY23xXxdtW8/uHnse+nyNhDDVMLMfeaA=
In-Reply-To: <66D2C934-E3FF-4A81-9576-B32396A98000@rutgers.edu>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK; C*}fMI;
Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned: No virus found
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 581486fe-d40e-4067-a23f-08d99025b6d3
X-MS-TrafficTypeDiagnostic: SN6PR01MB4269:
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <SN6PR01MB4269DE2D0A498A9029869B0FACB99@SN6PR01MB4269.prod.exchangelabs.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:7691;
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: bkzv16VI3z4KFM939GlT0YmnOdvD+JtoMQcMFZnToiwiz9cDsyKL5I+gHwyr29BVwkGYXKrYrnkz9QcbJxxOoODRZNjf6e0JI1jxM9+vwmTjsHtz9lqiRLILf6gyc5gSVVHehPV+zHGDW/i3fLL5UF6QwLmWUYQ1HS/9M3ieQaWqCMBRTNUNs6kTY68DBaH0v2CV3VweAEHqGm7NwptUtadsAo0oLzJ7q3WRpZ3IA1eZZs2K5Q0kzdzzsTiE+3ESGcXY59uSDUyg/9lkXkl44JvGTrRT0M8MVZVP/Ylcg4VLCgbouDvwWY/G5hFVfkEPC+HGP18k/Dzv61KSYWwS2UeEho7v1vOmssRU4CC8aHgT/zlm1HH1AgbTpQrN3bKLmN9DnV40deYKEX3aVaXAMJ9acDUf4sHwFdTq9qOGxbbR+hlCMUZU8erTXn/1VkdVQsqFPijR8owwZNKS1EbUu19Ja9GcVlF1RXmrEAoObOr137dWRRcWRNbzRoa2GikQ8hPQRaAt+HOa6OMhnjK1J23NOh5jI57BJSRvYek2D8dXmWhCfkERcD2VLlR+wAtI4QMM04ibbI4NBzrHZya2P4DJqDZXo0WpuEFnJJ6KvBsG+UBAafQJTyH2zpDjt9Mz
X-Forefront-Antispam-Report: CIP:140.32.61.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mfw.dren.mil; PTR:mfw.dren.mil; CAT:NONE;
SFS:(4636009)(356005)(786003)(6862004)(26005)(5660300002)(316002)(7636003)(4326008)(68406010)(8676002)(4744005)(70586007)(956004)(1076003)(336012)(83380400001)(426003)(2906002)(86362001)(508600001)(7596003);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-Forked: True
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Oct 2021 21:49:50.3711 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 581486fe-d40e-4067-a23f-08d99025b6d3
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT049.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR01MB4269
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
 by: Ken Hornstein - Fri, 15 Oct 2021 21:49 UTC

>We use TOTP. That allows us to tack the token on the end of the
>password. That makes it easy to fix programs that expect a simple
>password prompt.
>
>In fact I have a wrapper that can be interposed around pretty much
>anything use LD_PRELOAD.
>[...]

Well, that answers PART of my question. And I am guessing based on
the README for that you use k5start to generate the FAST armor cache
using the host key in the keytab? But this seems kind of RADIUS
specific; do you use TOTP for people who just use kinit?

--Ken

devel / comp.protocols.kerberos / Re: 2FA with krb5

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor