Thanks I will look into using sssd. > RHEL 7 also has IdM (open source project is FreeIPA > http://www.freeipa.org/page/Main_Page) that includes MIT Kerberos server > as part of its domain controller offering which is free.
Dmitri – thanks, however we already have an IDM with Kerberos, LDAP, DNS management and keytab generation and management services. If I was starting from scratch using FreeIPA would be a no brainer. Appreciate the help. Glenn On 8/28/16, 3:57 PM, "kerberos-boun...@mit.edu on behalf of Dmitri Pal" <kerberos-boun...@mit.edu on behalf of d...@redhat.com> wrote: On 08/27/2016 09:10 PM, Machin, Glenn D wrote: > Thanks to Dio I was able to get the Pkinit Anonymous working to enable the armor key. I noticed that RedHat 7 supports OTP in Kerberos and the kinit works fine. You do need to force TCP for Kerberos, since the radius transaction can take longer than a second to complete at times. Using UDP I was getting a failure on the RH7 system (a VM on my laptop) because the initial AS_REQ did not complete until after a second AS_REQ was sent, which failed, while the first came back successful. > > Next step was to be able to use it for login/sudo. I modified the pam_krb5 step to below in system-auth. What I see on the KDC are only encrypted timestamp preauth. > > Can RHEL7 pam_krb5 do OTP? > > auth [success=done authinfo_unavail=ignore new_authtok_reqd=ok ignore=ignore default=die] pam_krb5.so no_initial_prompt no_subsequent_prompt armor=true armor_strategy=pkinit SSSD rather than pam_krb5. https://fedorahosted.org/sssd/ You an fact need to use TCP for the reasons you described and SSSD does it for you. RHEL 7 also has IdM (open source project is FreeIPA http://www.freeipa.org/page/Main_Page) that includes MIT Kerberos server as part of its domain controller offering which is free. All the manual things you are exploring now are taken care for you in RHEL 7, Fedora and CentOS using IdM/FreeIPA and its client that configures SSSD, Kerberos client, DNS and other parts of the system. Thanks Dmitri > > Any help would be appreciated. > > > Glenn > > > > > On 8/26/16, 4:09 PM, "kerberos-boun...@mit.edu on behalf of Dmitri Pal" <kerberos-boun...@mit.edu on behalf of d...@redhat.com> wrote: > > On 08/26/2016 04:38 PM, Diogenes Jesus wrote: > > > >> I was able to configure a krb5-1.14.2 KDC to use FAST OTP with an RSA Authentication Manager Radius server. > >> > >> I have a couple of questions: > >> > >> > >> · FAST requires an existing ticket cache. If you need a TGT to get a FAST OTP TGT how do you do that? > > One way is to enable Anonymous support (http://k5wiki.kerberos.org/wiki/Anonymous_kerberos) - DONT forget to restrict anonymous to tgt only on your kdcs! > > > > Dio > > > > ________________________________________________ > > Kerberos mailing list Kerberos@mit.edu > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > OK you can use host key to armor the FAST tunnel for a client system if > your host is also a part of the Kerberos realm. > You can check FreeIPA project, there all these pieces are integrated and > automated. > > -- > Thank you, > Dmitri Pal > > Engineering Director, Identity Management and Platform Security > Red Hat, Inc. > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Thank you, Dmitri Pal Engineering Director, Identity Management and Platform Security Red Hat, Inc. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos