Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

Linux: The OS people choose without $200,000,000 of persuasion. -- Mike Coleman


computers / comp.protocols.kerberos / Re: Always prompting for OTP

SubjectAuthor
o Re: Always prompting for OTPGreg Hudson

1
Subject: Re: Always prompting for OTP
From: Greg Hudson
Newsgroups: comp.protocols.kerberos
Organization: TNet Consulting
Date: Tue, 10 May 2022 17:02 UTC
References: 1 2
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ghud...@mit.edu (Greg Hudson)
Newsgroups: comp.protocols.kerberos
Subject: Re: Always prompting for OTP
Date: Tue, 10 May 2022 13:02:26 -0400
Organization: TNet Consulting
Lines: 16
Message-ID: <mailman.56.1652202189.8148.kerberos@mit.edu>
References: <CAJhaRZLGArFp=hu0X97yQOKy=W=YCk4eaQXip1+28Vp2oWta+w@mail.gmail.com>
<cfb89a7a-ab03-f705-ffcf-5ad01e4700dd@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="22646"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.7.0
To: BuzzSaw Code <buzzsaw.code@gmail.com>, kerberos@mit.edu
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
t=1652202188; bh=dMHqrSqNK4zKDhP/+/XUBiqIO6Xw9mWadJQ4oA8yvuI=;
h=Date:Subject:To:References:From:In-Reply-To;
b=M7mOZRRAQijgRMmcjhhjT27gOmR+3VzNJUHtjPH2ZQUzDQEboWI0NjR6uHrKq/lPr
x6Z5zvCMnAFdcsnbEWG7B6ooTIu+on1c5zIYRegBxIgYvexTPbgVF7zZ+vBpCBo50c
b3qknLTX9Bxtv/qhE9CXN5wVcnWSmfGFFwXfzA7SJNkCZTjhjsdhbXpZijlJCD5wJk
XmwQvrTuidD1E45KQg0WBxaHnru4qt1o4rzNWUB0GkfiwODPDKDKJllLysuRgVOckz
q6PwAnTshr/TyRW19Vgu0j5i+q5W7oH5bC33fdl9ueStIDV+8x1k4vZk43i60ngLj9
q/s0CnJ0n4aEg==
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Z72W070rHkj7XtYzxl4Kjy/5rXTcQsLkC7qBMFZu1xtkRfn4XLDD6aUA8syGzXa5b/Tnawl7NlYfdKSf4Ll3mfm/K0NUSX+aYOw6MXHtuQOxaCLpY05xIBRP1doWocYINcYWj7kbnkHziDQCarGPiARrp0MMgZr02GDpIDZZALpm57Rx/C4cNpfYCmH7STszmCntZFIP5DkHTgV1TFgPNuklQZuJE7oxeS0s4RsxaZlb2R3Gc5hEmJ4j5/DPa9fgw+PAewESoe1GrzsglSUU1VGDc7te+VVambb6qEjVN/fdUw7GQj5m3lF9r77rj7jWLRFo0wZNOydnJ+Mv5T0U2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=dMHqrSqNK4zKDhP/+/XUBiqIO6Xw9mWadJQ4oA8yvuI=;
b=JftB5ogs7Oolad2p4ATRIwAvvU5FLm11++JLsVX0CZSSXRignS07qNYd8YU2PM+nmDygaI3iaAgSWzLJNJRlXHoAkeS8TY7fTg+mLwXWMxBhrBMbdEZDb8tDvPr8rJNwClksb73/43vsQFX7477Y9PKyI0L3xdtBnwabda/kp5Ru1zkw6+Oxc9Hm6v5BQgxNbl+tDCNu81AFSO1Fn4igtMa+VDBUH+QXpg/BJ94DRG2XgoPKe0NV9lo0VPoC/0sYlHQUMM/7wT4mjhcok3C2MlLJ34LumeY35dlTJmMTOuwlwc89D4V7QA9XnFZ20PWdpfsH3FuFVp/Zzx+RO4nz9Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
18.9.28.11) smtp.rcpttodomain=mit.edu smtp.mailfrom=mit.edu; dmarc=pass
(p=none sp=none pct=100) action=none header.from=mit.edu; dkim=pass
(signature was verified) header.d=mit.edu; arc=none (0)
Authentication-Results: spf=pass (sender IP is 18.9.28.11)
smtp.mailfrom=mit.edu; dkim=pass (signature was verified)
header.d=mit.edu;dmarc=pass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates
18.9.28.11 as permitted sender) receiver=protection.outlook.com;
client-ip=18.9.28.11; helo=outgoing.mit.edu;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
t=1652202148; bh=dMHqrSqNK4zKDhP/+/XUBiqIO6Xw9mWadJQ4oA8yvuI=;
h=Date:Subject:To:References:From:In-Reply-To;
b=KOMILkj2Je7LPeUPRVOXE3NrupMXI20rJCQiRQuEW5R76xkCAEgeIeewGJENfmnAX
Zyot5kWAIgUJ4xOFJYhyOi8RA2goTJhwUtFgPMWa2rihpkYXuaO6QgqkYKFiI1jgrL
Lo5FXjfwjUROyqOaCdDqJ/jdZ+3Y4k9yOpmgw2yKKJfwx3po1ymFWzccSysDCw0g2b
512Mq+c/NEZkijEg7Ab5/ptVB8MtvUFFs6rJ6/kPpdsT+IiKmFmuLY6e2JUdu1+209
DPLO7O3Yr+/nvbR2h9R4twTG/Xgccvxs0Bgm/8OmsOVFIJypVjgX4rSf7fbXQt4f/7
dc4ZKxUqrU4+A==
Content-Language: en-US
In-Reply-To: <CAJhaRZLGArFp=hu0X97yQOKy=W=YCk4eaQXip1+28Vp2oWta+w@mail.gmail.com>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 870d303f-540e-4102-fc65-08da32a6de7b
X-MS-TrafficTypeDiagnostic: BYAPR01MB5032:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <BYAPR01MB5032D53884FB3691B824B45FBCC99@BYAPR01MB5032.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: S+AFYKDAeB6cRcJr1Viy+ILzHAntvsbqwjy8q1SW0SNOwywK4q+0zXwHAKDOKgD+Z9oCwOWPaOAGrJ5GJiI408m3YOeV5Hp7ox1VDq8XFzSwxyt94ExH3RUGI0NlMNDj8m5Rt9TUkpVS2YBK9cnd+yt6+ukGp73LypGkQhS3lsJ1slrgkO0/COt2xAjfrOA0g/r8eFsd68Xl/MSuvfVUUwi4vHZqqs96lH0dufdMNRmE0X6oBu+fDUG0XnFz0hUf98uSHuSoK9i9Ocz/8UdGVTB1GkjtdVP4eXa4Zyw4kgj5iOdMTp7Npgv1RdFhDgRxqMYUUAtGDgN9fJo4S3qvsE0YIJ9Qk1x10Vr9freZd4lW/D/oR1Sv/It/asF4qRF2LmkTTePqaoiZvPCidV85B/U1mPPMJYUivfz7XMHmTIQwLecog2LqXF9W+YW4u4Z5Bbxx6l8BWhup5q5q/3keH/DK3A3D8sEZL9qPD2zHLL8ZiuNMchDQtqgjsjfgXCbOSvmszOcmanNbngdwHKzarPfPyjPQJSA8OutpQSwv1D9Pex/drfgsLYmtHSUU1LHGyURUT8NKlvYny9bI4qRi1RhNt539QE/QiCbywyRb73KmRAMhMxlVPQubJV2nBLtdVwRM5ZZ5PUqOw30gs4fnWty2FCU89mgcOCUsNz+1Iy+uxhO44FUg+qrpmJLTD7Z8KYEXiSwE3RRshvpK7UarWQ==
X-Forefront-Antispam-Report: CIP:18.9.28.11; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:CAL; SFV:NSPM; H:outgoing.mit.edu; PTR:outgoing-auth-1.mit.edu; CAT:NONE;
SFS:(13230001)(4636009)(426003)(336012)(68406010)(2616005)(8676002)(70586007)(83380400001)(956004)(508600001)(86362001)(26005)(316002)(786003)(6706004)(6636002)(7696005)(53546011)(3480700007)(356005)(31686004)(36756003)(2906002)(4744005)(75432002)(5660300002)(31696002)(43740500002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 May 2022 17:02:30.0442 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 870d303f-540e-4102-fc65-08da32a6de7b
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT022.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR01MB5032
X-OriginatorOrg: mit.edu
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <cfb89a7a-ab03-f705-ffcf-5ad01e4700dd@mit.edu>
X-Mailman-Original-References: <CAJhaRZLGArFp=hu0X97yQOKy=W=YCk4eaQXip1+28Vp2oWta+w@mail.gmail.com>
View all headers
On 5/10/22 11:47, BuzzSaw Code wrote:
I'm trying to understand if the behavior I'm seeing is by design or a bug.
[...]
It seems like the original credentials that were passed in, which is the
valid OTP "pin+password", are tossed by the krb5 library routines once the
KDC responds asking for preauth and the anonymous FAST conversation is done
no matter what.

This is by design.  The basic Kerberos protocol does not reveal the
password to the KDC, but FAST OTP does reveal the OTP value (encrypted
within the FAST channel).  So for libkrb5 to transparently send the
password to the KDC when the KDC asks for FAST OTP would have security
implications.

pam_krb5 could work around this decision via its prompter callback, and
that might be reasonable to implement as an option.


1
rocksolid light 0.7.2
clearneti2ptor