On Wed, Apr 26, 2023 at 11:29 AM Ken Hornstein <k...@cmf.nrl.navy.mil> wrote: > > >Since I am currently only interested in anonymous auth, I thought I > >could skip that directive. But alas: > > Right, so, here's where my limited knowledge of FAST comes into play. > > As I understand it, you need to be able to use a trusted key to > authenticate with the KDC to to create the FAST channel. Your options > are using an already-existing key (such as a host key) or anonymous > PKINIT. But the "anonymous" part of anonymous PKINIT only refers to the > CLIENT being anonymous; you still need the client to be able to verify > the KDC's certificate (otherwise anyone could pretend to be your KDC and > you could end up sending your OTP output to them, which would be bad).
Agreed. The docs that I referenced still made it seem that the anchor config was somewhat optional for anonymous auth. ..but maybe I wasn't reading those lines with the proper mindset or context. > That's the piece you were missing. Once you have the FAST channel set > up then you can use that to securely send the OTP response. > > I see in a later message you got it working; great! Just FYI in case > anyone else asks, the key line in that trace output was this: > > [1185088] 1682519355.427424: Processing preauth types: PA-PK-AS-REQ > (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), > PA-ENCRYPTED-CHALLENGE (138), PA_AS_FRESHNESS (150), PA-FX-COOKIE > (133), PA-FX-ERROR (137) > > You're missing PA-OTP-REQUEST, which was because (as you discovered) > that plugin wasn't installed. But that requires a lot of Kerberos > knowledge to get to that point :-/ Yup! > It does occur to me a useful addition to kinit might be a flag that > means "authenticate using anonymous PKINIT and then use those > credentials as a FAST armour credential cache" so you wouldn't have > to muck around with juggling credential caches. That would be great and would eliminate an impending shell alias for me: alias kinit-otp='kinit -n -c /tmp/somecache; kinit -T /tmp/somecache' Thanks for all the help, Ken (and BuzzSaw and Greg). It is very appreciated! -m ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos