So, there’a an assumption here: all the kerberos 2fa stuff is really only used
when you kinit. And that extra protcol is the one where the three differing
protocols come in. Just like sshd’s Password Authentication vs Challenge
Response Authentication, the client has to be *able* to ask for mo
>Ken Hornstein writes:
>
>> I am not sure of the client coverage of the OTP FAST factor, though.
>
>For what it's worth, although my pam-krb5 module implements FAST including
>both keyed and anonymous FAST, it does not implement FAST OTP. This is
>because (a) I didn't find any documentation of wh
>I've been running Privacyidea (https://www.privacyidea.org/) for some
>time to manage the tokens. Exposed the Application with RADIUS and told
>FreeIPA to authenticate against RADIUS. Had some rough edges, but was
>usable for me and is able to manage many kinds of tokens.
So what's the _client_
Ken Hornstein writes:
>>I've been running Privacyidea (https://www.privacyidea.org/) for some
>>time to manage the tokens. Exposed the Application with RADIUS and told
>>FreeIPA to authenticate against RADIUS. Had some rough edges, but was
>>usable for me and is able to manage many kinds of token
Simo Sorce writes:
> Starting an ad-hoc kdc is pretty easy, I have it done in the make check
> phase in many small projects, including starting an ldap server, I
> haven't tried radius, but hopefully starting a freeradius server is not
> exceedingly hard either.
Yeah, for the record it was just
On Thu, 2021-10-07 at 15:14 -0400, Ken Hornstein wrote:
> > Ken Hornstein writes:
> >
> > > I am not sure of the client coverage of the OTP FAST factor,
> > > though.
> >
> > For what it's worth, although my pam-krb5 module implements FAST
> > including
> > both keyed and anonymous FAST, it does
Ken Hornstein writes:
> Huh, I _kinda_ thought that if you had FAST going, you got FAST OTP (on
> the client at least) for free! Which shows what I know. Maybe it works
> already and you never tested it?
The bit that I suspect doesn't work is all the interactions between the
prompting and the
On Thu, 2021-10-07 at 11:50 -0700, Russ Allbery wrote:
> Ken Hornstein writes:
>
> > I am not sure of the client coverage of the OTP FAST factor, though.
>
> For what it's worth, although my pam-krb5 module implements FAST including
> both keyed and anonymous FAST, it does not implement FAST OTP
Ken Hornstein writes:
> I am not sure of the client coverage of the OTP FAST factor, though.
For what it's worth, although my pam-krb5 module implements FAST including
both keyed and anonymous FAST, it does not implement FAST OTP. This is
because (a) I didn't find any documentation of what I wa
Hi,
[I'm running Kerberos inside FreeIPA, so plain Kerberos might be
different...]
Ken Hornstein writes:
>>We'd like to be able to leverage 2fa for some services (admins) and some
>>services (ssh logins) but not have to pump a 2fa code into, say, our mail
>>applications. Is there a way to
What do you regard as “expensive”?
Strong 2FA with world-wide acceptable PKI can be obtained for €70 a piece.
If you can afford the time, and willing to do your own CA, you can lower it to
€15 a piece.
The first can be obtained when applying for Estonian E-resident,
https://learn.e-resident.gov.
11 matches
Mail list logo
