Hi all,
I'm trying to configure a MIT Kerberos server (I belive version 1.15) to do OTP preauth against a FreeRadius server on a Debian 9 host. What I did so far was: 1) installed and configured FreeRadius to only do OTP with google-authenticator via PAM => works 2) installed and configured MIT kerberos with a couple of principials => "kinit -p simon" works 3) I followed https://web.mit.edu/kerberos/krb5-1.13/doc/admin/otp.html 4) I realized that I probably also need PKINIT for FAST to work, so I also followed https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html, but only the server portion. I skipped the client part. I was using my own CA. 5) I did 'set_string simon otp "[]"' and "modprinc +need_pre_auth simon" 6) restarted KDC Here is were I am a bit unsure now. I kinda expect "kinit -p simon" now to either ask me for my password AND my OTP token, or at least fail with some error message. But instead it succeeds if I just enter my password. >From the logs I can see, that the OTP module gets loaded and when I do kinit >that some sort of PREAUTH is required, but apparently it is handled >successfully and completly without OTP token. I then started to fiddle with the "authentication indicators", but I'm afraid I do not properly understand their part in all this. Can somebody please advise me what is missing? Also can sombody explain how this integrates with PAM-kerberos on a client machine? Will PAM then prompt the user for the OTP token and password? Many thanks & Regards Simon ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
