Thanks I will look into using sssd.
> RHEL 7 also has IdM (open source project is FreeIPA
> http://www.freeipa.org/page/Main_Page) that includes MIT Kerberos server
> as part of its domain controller offering which is free.
Dmitri – thanks, however we already have an IDM with Kerberos, LDAP, DNS
management and keytab generation and management services. If I was starting
from scratch using FreeIPA would be a no brainer.
Appreciate the help.
Glenn
On 8/28/16, 3:57 PM, "kerberos-boun...@mit.edu on behalf of Dmitri Pal"
<kerberos-boun...@mit.edu on behalf of d...@redhat.com> wrote:
On 08/27/2016 09:10 PM, Machin, Glenn D wrote:
> Thanks to Dio I was able to get the Pkinit Anonymous working to enable
the armor key. I noticed that RedHat 7 supports OTP in Kerberos and the kinit
works fine. You do need to force TCP for Kerberos, since the radius
transaction can take longer than a second to complete at times. Using UDP I was
getting a failure on the RH7 system (a VM on my laptop) because the initial
AS_REQ did not complete until after a second AS_REQ was sent, which failed,
while the first came back successful.
>
> Next step was to be able to use it for login/sudo. I modified the
pam_krb5 step to below in system-auth. What I see on the KDC are only
encrypted timestamp preauth.
>
> Can RHEL7 pam_krb5 do OTP?
>
> auth [success=done authinfo_unavail=ignore
new_authtok_reqd=ok ignore=ignore default=die] pam_krb5.so no_initial_prompt
no_subsequent_prompt armor=true armor_strategy=pkinit
SSSD rather than pam_krb5.
https://fedorahosted.org/sssd/
You an fact need to use TCP for the reasons you described and SSSD does
it for you.
RHEL 7 also has IdM (open source project is FreeIPA
http://www.freeipa.org/page/Main_Page) that includes MIT Kerberos server
as part of its domain controller offering which is free.
All the manual things you are exploring now are taken care for you in
RHEL 7, Fedora and CentOS using IdM/FreeIPA and its client that
configures SSSD, Kerberos client, DNS and other parts of the system.
Thanks
Dmitri
>
> Any help would be appreciated.
>
>
> Glenn
>
>
>
>
> On 8/26/16, 4:09 PM, "kerberos-boun...@mit.edu on behalf of Dmitri Pal"
<kerberos-boun...@mit.edu on behalf of d...@redhat.com> wrote:
>
> On 08/26/2016 04:38 PM, Diogenes Jesus wrote:
> >
> >> I was able to configure a krb5-1.14.2 KDC to use FAST OTP with an
RSA Authentication Manager Radius server.
> >>
> >> I have a couple of questions:
> >>
> >>
> >> · FAST requires an existing ticket cache. If you need a
TGT to get a FAST OTP TGT how do you do that?
> > One way is to enable Anonymous support
(http://k5wiki.kerberos.org/wiki/Anonymous_kerberos) - DONT forget to restrict
anonymous to tgt only on your kdcs!
> >
> > Dio
> >
> > ________________________________________________
> > Kerberos mailing list Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
> OK you can use host key to armor the FAST tunnel for a client system
if
> your host is also a part of the Kerberos realm.
> You can check FreeIPA project, there all these pieces are integrated
and
> automated.
>
> --
> Thank you,
> Dmitri Pal
>
> Engineering Director, Identity Management and Platform Security
> Red Hat, Inc.
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Thank you,
Dmitri Pal
Engineering Director, Identity Management and Platform Security
Red Hat, Inc.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
