FAST OTP Windows?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

FAST OTP Windows?

Christian M. Watts
Hi,

We've deployed KRB5 1.12.1 here on the KDC side and gotten FAST OTP (via
anonymous pkinit + Radius OTP) working for our UNIX clients. Looking for
some information regarding getting FAST OTP working from a Windows
client. I see that the current kfw (4.0.1) is based on 1.10, so it
wouldn't have support for FAST OTP, is my understanding.

My thoughts are:

1. Is there a client for windows out there that can 'do' this already?

2. If not, is the windows source that comes with the 1.12.1 tarball
updated for FAST OTP support? If it is, we can work on building it, but
would like to know if the support is there before we go down that road.

Thanks in advance!

Christian
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: FAST OTP Windows?

Christian M. Watts
For those interested, we were able to make this work at a level that is
'good enough' for our purposes. Essentially, kinit can be used to obtain
tickets from the command-line via OTP preauth from a Windows client,
which is all we were looking to accomplish.

The Windows GUI components don't appear to support anonymous pkinit +
FAST + OTP, but rather need a password until such time as they're
updated ...

Essentially, the steps were:

1. Already have a working KRB5 realm with anonymous pkinit + FAST + OTP
Radius. Not trivial, but better documented elsewhere than by me here.

2. Compile the windows sources (including the MSI) according to the
directions supplied in the KRB5 1.12.1 source code under
src/windows/README. The only thing we encountered was a problem with WiX
looking for .pdb debug stuff after passing NODEBUG=1 on the nmakes.
Doing a 'set NODEBUG=1' at the beginning of the documented build process
(right after 'set CPU=i386') solves that issue.

3. Install the MSI.

4. Anonymous pkinit for FAST works, but have to pull the anonymous cert
to an armor file to get the ccache going, it seems. This may be a
configuration issue (as far as us not understanding how to do anon_fast
the way the pam module does or maybe kinit just doesn't do that). In any
case, though, it is possible to obtain tickets using anonymous FAST with:
kinit -n -c <armorfile>
kinit -T <armorfile> <principal>
Enter OTP Token Value:

Alternately, it is possible to use a local keytab if needed (say, if not
using fully anonymous pkinit), like this:

kinit -k -t <local keytab file> -n -c <armorfile>
kinit -T <armorfile> <principal>
Enter OTP Token Value:

Hope that helps someone out!

Christian


On 7/17/2014 7:25 PM, Christian M. Watts wrote:

> Hi,
>
> We've deployed KRB5 1.12.1 here on the KDC side and gotten FAST OTP (via
> anonymous pkinit + Radius OTP) working for our UNIX clients. Looking for
> some information regarding getting FAST OTP working from a Windows
> client. I see that the current kfw (4.0.1) is based on 1.10, so it
> wouldn't have support for FAST OTP, is my understanding.
>
> My thoughts are:
>
> 1. Is there a client for windows out there that can 'do' this already?
>
> 2. If not, is the windows source that comes with the 1.12.1 tarball
> updated for FAST OTP support? If it is, we can work on building it, but
> would like to know if the support is there before we go down that road.
>
> Thanks in advance!
>
> Christian
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev