Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

You will have a head crash on your private pack.


computers / comp.protocols.kerberos / Re: Always prompting for OTP

SubjectAuthor
o Re: Always prompting for OTPBuzzSaw Code

1
Subject: Re: Always prompting for OTP
From: BuzzSaw Code
Newsgroups: comp.protocols.kerberos
Organization: TNet Consulting
Date: Tue, 10 May 2022 17:51 UTC
References: 1 2 3
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: buzzsaw....@gmail.com (BuzzSaw Code)
Newsgroups: comp.protocols.kerberos
Subject: Re: Always prompting for OTP
Date: Tue, 10 May 2022 13:51:02 -0400
Organization: TNet Consulting
Lines: 25
Message-ID: <mailman.57.1652205100.8148.kerberos@mit.edu>
References: <CAJhaRZLGArFp=hu0X97yQOKy=W=YCk4eaQXip1+28Vp2oWta+w@mail.gmail.com>
<cfb89a7a-ab03-f705-ffcf-5ad01e4700dd@mit.edu>
<CAJhaRZKzi91odO9Eu87J7z6xC_EepWrxSAL++EB9Yh6HCZPufQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="892"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Greg Hudson <ghudson@mit.edu>
Authentication-Results: mit.edu;
dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: mit.edu; arc=pass
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1652205099; cv=pass;
b=IAXvQ+2f90ZzRpyGlndJRrMWmKR67FHYCdrr6XEk9eZ56K7pQGBt7J3HaEJ66cbh2jpv5uEZhAyDUcdhCJsNJ3X81io7iwtARknFtfHdK8Wo81NcThe1ff659Lwkh2kCrqdl8UnMcwTPi8zBQMCwA8I0Mq/Q7Dmc0z00FlKfizPHYKmcAi6BqCO5YNfo3pgMuqI/aI2eM0ogvABRMjZeRDg0mghr1Uf7j2fv0Uu80Bex8TFynYJGQI8mJDcKKWEkEibESdgtApKCB1UwAo2nxRIUAT30Y5IEM5lhsE0UDsIHBmCesCWd8ZeOJWJH7Qcdsb/54FBAMYyIBvdwXvSMcg==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1652205099;
c=relaxed/relaxed; bh=VzhevJafPqHNfrJU833x5wy1h+sVHFCpUer8WrbVwoA=;
h=MIME-Version:From:Date:Message-ID:Subject:Content-Type;
b=1I0Y9PSZ8V1ek6s8fufZWj5f9iE77wal2XtkVroFJlk9BD8EHhtFaY0rRiF/u3INRKcpg/L9z1KlnWyWFp/MwcNUwpZYM/VO24RCHtX6RhKtH/3wJbKYlcbswdbTenswidOtM1v6+B0oPsJyooFfac2mP8SdL6PUKbHzLpiohBKxcsi+EJwhP1vfYf1LB9Yu1vYuRBef/rHd5YMCqCsQPZdWLmOMGEEtr+402xWHfiEt7J70I5F9iFt3n10iaUyoIIiPhuzcj+P7vg6c0PMzuXCr2n3rBEyAtIofbq66tO6+qqBX5NXCBSrK0pm3eQKfGO/IuBkBFLFbky5/SaId0w==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=RCTG4BUh;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b=Bzk6oHRZ; arc=pass
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=RCTG4BUh;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b=Bzk6oHRZ
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=SjXpHSpJpXDtJe9SH+Le/7THDs1RLaBA+63M3SgPVjLmb9O0QlGH3hIiq9eDMe19GZdSvktCxlMB4iZSR+lXhHNX+i21hmd/jLHYsVIr0AdETzKhDa3MDaH0q+KAyFK3mmNCv8I2WmYFIclUYmbRXE1U2/LSMJZVC/4xeWD/ECA8y/n0sEaO8ikdertTUljQJ5Q9RHklxjKWh4HMY6cNG/ma1NN5Pa2IKdq9UQJhMafN2mFolSX/T+oXn+dR2hgMVN0RcKmULj9843t8EF6mSACWb5IrvVSmSjCXYQVUSGgwQLNJKMT7hQQK646TPCqQzXOCsKwgWyR66Gb1uTt4dA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=VzhevJafPqHNfrJU833x5wy1h+sVHFCpUer8WrbVwoA=;
b=Vx8wjyU+GEoAQNDJK54kiyFy5Ku2osR9IA09HFVEAPDSf1+Uv2SA7wnAXR6sYS5sQ2ufmgCtgjnyKMmLlLfpurjLTyPbNBTH9bMau4B+M7Zx7a8VjH/0BV0cStuuY4X6RHTQsqMtTrxFuiq+bg/E2UpUkrO5X9OBJZU6amFlTNo7pawiD2QRMLMn4CZ3nRzPIR2qMU0moZwKY8NYY5VK1+7RAF8Iy44D+zBV8H3YAtRsv43h75PJQ8Ah8sLTLbh1e+6wCswUi/Gddrp6t4gMu5FfRQQ+73vvnbrnQCqa0rxqwBN5QdkZRjoxJ60LJcGAs8CaWqxGm2uieSHmXt35+w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.128.179) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass
(p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass
(signature was verified) header.d=gmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=VzhevJafPqHNfrJU833x5wy1h+sVHFCpUer8WrbVwoA=;
b=RCTG4BUhCB32w+FvTmZM3sEJ48LlxJPu1edq2Z8LkkHiZwNrUeIDGLsRLmJgzXCcyOQRSOBdNDEPZZ9zc0THZa1yu5mvFbWLt5zGZASsAXhdl4HU4cI2zVoUjRfplWWezhIk/u1IMqbCZ4+VB8zGOfUcEVJCwBqbgyimH4+WLKw=
Authentication-Results: spf=pass (sender IP is 209.85.128.179)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.128.179 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.128.179; helo=mail-yw1-f179.google.com;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=VzhevJafPqHNfrJU833x5wy1h+sVHFCpUer8WrbVwoA=;
b=Bzk6oHRZ7gRRkKoH0dmawNSKtY7CETNOCu1IbpXfOpy5B68CgbvkDfmXzm7CJmnBot
1jTU+UqYMS/HMnk2ye2T0nK9xXB/m0ZX+nTwKvPW8br8bNHjR8X2wEC0I69GBmgsJo8o
4MMJGOoCpNyyvuFyGBujYdiLL57ZAYLBgtOYpX6featQ5Wuusuj6qvBME7yZlu0eTaTC
AkKFKHdtWqn73Sswjqlbx2friisWsJV4sMWvH4ymhL0oxb3cNt3bVbirzd86OT0rPv/D
GQOWnwOCTF9+sDx9iWpG1c6tilFkpa+/qExEK3DS8y1xaJamdtu/VmUOUJpSr8zf7gGs
AQmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=VzhevJafPqHNfrJU833x5wy1h+sVHFCpUer8WrbVwoA=;
b=HKWAPG0754KK8c+sWHzF3NgzO4d/RA0qvpQs1IelA8thQcNkv+mAOfWeOcSbHhegnV
1O6Y+poKvGNGFTOmDCI5lY6oEfm0P1PtNMxiqIIbHHGjbDMdDwL0NAjY60R7eY1+vxxE
5guotMTCE/nb4mzhEl2Btqlu0N6oBcPIOtSGAbmIoDthguTIbjoqsKZZLvODwPyVz/Id
T64Ft63uIE9tAd3/tqyAuOR3Rx4E6MDnhVh441Fx/eCad0U94nxp/IpvAEr/mXc8F/jA
alWWdOmrS1HhE37rG4jGWJcf8VWQeDCjVevfT0i3A4Qc1H9Wn/gQuD2VFJLkiJLgRVD6
TIrA==
X-Gm-Message-State: AOAM531+prdz8clcVFAMq8I9o5CA1iYdG4TvRTPOa+D7XRH4wLxm4K8k
AqGfrDKylcJ1yT+XJ++72ItTfucMfxrl8n97ofanXwPa
X-Google-Smtp-Source: ABdhPJwcANUrJ+T0yUAGypu64b3vUK4+wtIp5Lhp4Rr3jby8mZCbZ4SCwddPkhBYYorqm3UhYqvY5mL6qeKWBbNWS5M=
X-Received: by 2002:a81:3252:0:b0:2f6:b826:2286 with SMTP id
y79-20020a813252000000b002f6b8262286mr20561254ywy.289.1652205073395; Tue, 10
May 2022 10:51:13 -0700 (PDT)
In-Reply-To: <cfb89a7a-ab03-f705-ffcf-5ad01e4700dd@mit.edu>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 0942bba1-7412-4896-7a15-08da32adad14
X-MS-TrafficTypeDiagnostic: SN6PR01MB3789:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <SN6PR01MB37898022CBF2F9E567FDAD7E8AC99@SN6PR01MB3789.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: RHDKUq3DOHIxEtbaA4g/V552Ly0gzKQCn7auCkGshg1QOWoLKSCMqKSEn5BDYGaghzgsKOo0wNEZJjwIJmqSra2ZhDNDRPwEvRRExWTjvqgvR6wzGWiQjqOap5igQ53dmLQhKZlET4gR2sdCFxPITJRSh7UOCA3mhd2kJbd3zNr1pFbKTAySm7k9zX/CjuZ+uXbQ1LulJhYFD+OKaHN69aUBsmar8ZHS9RE2bvSKxD/lJ8ijlOqBTldTObXuXKnOtI39DlPJbaCsRHRHqwHzxLqpKE6ZTzvSJ8eIiSXQJrskCdP+XuqTO3P34RFwdFhVygh4pQG5ZAR9YoPWkaJgDrz+CiB0CbGppnaMMOuUyjsZUsR6MtVPNrL63Xn+1KRvt0/HyRDlu9XOysHgbWuVQf4gNu0bsl10/CdO/pbNgc1l1X20BkYn32rfg69ZcgJUl/8HVSJ7nowWpA5VYTTwjA8gBl0Q1Qut9f4Uz+z8IS/ROD82UBxoReszK1AJE2py53H/zg0IsRHwF1qAMoHVzMJBV8jPIO3Q+bKBzC4AIVP538Gwymu+jYMEqUDqr3lnfxyZK3XX8YNWaQnQLJWk85G3f2WQSZ9cfDFUDX20Dyi3GpjHqq9exROxcWyIIlbU
X-Forefront-Antispam-Report: CIP:209.85.128.179; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-yw1-f179.google.com; PTR:mail-yw1-f179.google.com;
CAT:NONE;
SFS:(13230001)(4636009)(84050400002)(33964004)(26005)(42186006)(6666004)(5660300002)(83380400001)(2906002)(336012)(73392003)(82202003)(508600001)(3480700007)(7636003)(70586007)(86362001)(4326008)(7596003)(55446002)(786003)(316002)(76482006)(8676002)(68406010)(356005)(6862004);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 May 2022 17:51:14.0877 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 0942bba1-7412-4896-7a15-08da32adad14
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT052.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR01MB3789
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CAJhaRZKzi91odO9Eu87J7z6xC_EepWrxSAL++EB9Yh6HCZPufQ@mail.gmail.com>
X-Mailman-Original-References: <CAJhaRZLGArFp=hu0X97yQOKy=W=YCk4eaQXip1+28Vp2oWta+w@mail.gmail.com>
<cfb89a7a-ab03-f705-ffcf-5ad01e4700dd@mit.edu>
View all headers


This is by design.  The basic Kerberos protocol does not reveal the
password to the KDC, but FAST OTP does reveal the OTP value (encrypted
within the FAST channel).  So for libkrb5 to transparently send the
password to the KDC when the KDC asks for FAST OTP would have security
implications.


I guess I'm missing the security issue if I'm asking it to send the
credentials originally supplied in that FAST channel.  We're
using anonymous FAST so I didn't expect (or want) it to send those outside
that channel.

pam_krb5 could work around this decision via its prompter callback, and
that might be reasonable to implement as an option.


I started looking at that by trying to trace down where the library removes
the password but haven't been able to follow all of the code  (yet).

A bad side effect of this behavior is that the calling PAM module never
gets that OTP value so it isn't available for other modules in the stack,
so they too prompt for credentials because they think the password has not
been entered yet.


1
rocksolid light 0.7.2
clearneti2ptor