>Since I am currently only interested in anonymous auth, I thought I >could skip that directive. But alas:
Right, so, here's where my limited knowledge of FAST comes into play. As I understand it, you need to be able to use a trusted key to authenticate with the KDC to to create the FAST channel. Your options are using an already-existing key (such as a host key) or anonymous PKINIT. But the "anonymous" part of anonymous PKINIT only refers to the CLIENT being anonymous; you still need the client to be able to verify the KDC's certificate (otherwise anyone could pretend to be your KDC and you could end up sending your OTP output to them, which would be bad). That's the piece you were missing. Once you have the FAST channel set up then you can use that to securely send the OTP response. I see in a later message you got it working; great! Just FYI in case anyone else asks, the key line in that trace output was this: [1185088] 1682519355.427424: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENCRYPTED-CHALLENGE (138), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133), PA-FX-ERROR (137) You're missing PA-OTP-REQUEST, which was because (as you discovered) that plugin wasn't installed. But that requires a lot of Kerberos knowledge to get to that point :-/ It does occur to me a useful addition to kinit might be a flag that means "authenticate using anonymous PKINIT and then use those credentials as a FAST armour credential cache" so you wouldn't have to muck around with juggling credential caches. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos