Kerberos OTP with FreeRadius

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Kerberos OTP with FreeRadius

Brennecke, Simon
Hi all,


I'm trying to configure a MIT Kerberos server (I belive version 1.15) to do OTP preauth against a FreeRadius server on a Debian 9 host.


What I did so far was:

1) installed and configured FreeRadius to only do OTP with google-authenticator via PAM => works

2) installed and configured MIT kerberos with a couple of principials => "kinit -p simon" works

3) I followed https://web.mit.edu/kerberos/krb5-1.13/doc/admin/otp.html

4) I realized that I probably also need PKINIT for FAST to work, so I also followed https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html, but only the server portion. I skipped the client part. I was using my own CA.

5) I did 'set_string simon otp "[]"' and "modprinc +need_pre_auth simon"

6) restarted KDC


Here is were I am a bit unsure now. I kinda expect "kinit -p simon" now to either ask me for my password AND my OTP token, or at least fail with some error message. But instead it succeeds if I just enter my password.


>From the logs I can see, that the OTP module gets loaded and when I do kinit that some sort of PREAUTH is required, but apparently it is handled successfully and completly without OTP token.


I then started to fiddle with the "authentication indicators", but I'm afraid I do not properly understand their part in all this.


Can somebody please advise me what is missing?


Also can sombody explain how this integrates with PAM-kerberos on a client machine? Will PAM then prompt the user for the OTP token and password?


Many thanks & Regards

Simon
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Kerberos OTP with FreeRadius

Felix Weissbeck
Hi,

Am Freitag, 7. Juli 2017, 07:54:19 CEST schrieb Brennecke, Simon:
> Here is were I am a bit unsure now. I kinda expect "kinit -p simon" now to
> either ask me for my password AND my OTP token, or at least fail with some
> error message. But instead it succeeds if I just enter my password.

As far as i understand the pre-auth, it succeeds if you enter a correct
password OR if the radius-authentication is successful.

One solution is to remove the password from the kerberos database, so it only
works if the radius auth is successful.
  kadmin -q 'purgekeys -all YOUR_PRINCNAME'
(see: https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html)

The  "problem" hereby is, that you can now obtain a kerberos ticket with your
second factor alone; so you could configure PAM to successfully authenticate
with password+token.

I have a setup that asks for a password plus (yubikey or google-auth).
The  PAM-configuration looks like this:

auth    [success=2 default=ignore]      pam_google_authenticator.so
try_first_pass forward_pass
auth    [success=1 default=ignore]      pam_yubico.so id=2 authfile=/etc/
yubikeyid url=<a href="http://127.0.0.1/wsapi/2.0/verify?id=%d&otp=%s">http://127.0.0.1/wsapi/2.0/verify?id=%d&otp=%s try_first_pass
auth    requisite                       pam_deny.so
auth    [success=1 default=ignore]      pam_unix.so use_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so


> Also can sombody explain how this integrates with PAM-kerberos on a client
> machine? Will PAM then prompt the user for the OTP token and password?

The authentication works with passwordotp suplied as one string.

Hope this helps. If anyone has a better approach please let me know.

Best regards
  Felix
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Kerberos OTP with FreeRadius

Benjamin Kaduk-2
On Fri, Jul 07, 2017 at 11:04:47AM +0200, Felix Weissbeck wrote:
>
> The  "problem" hereby is, that you can now obtain a kerberos ticket with your
> second factor alone; so you could configure PAM to successfully authenticate
> with password+token.

Yes, the FAST/OTP preauthentication mechanism from RFC 6560 uses only
the OTP factor, which makes it a great solution if you already have
deployed OTP infrastructure and need to add a kerberos solution for
your site.  For using OTP as a second factor, it's not really an option.

The current thinking in this space is that the SPAKE preauth scheme
in https://datatracker.ietf.org/doc/draft-ietf-kitten-krb-spake-preauth/
will fill this void, allowing a second factor to be mixed in with a
PAKE password-based preauth, that does not expose anything encrypted
in password-based keys directly on the wire (so as to stymie brute-force
attacks).

-Ben
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Kerberos OTP with FreeRadius

Brennecke, Simon
Hi guys,


Thank you so much for your help!


I managed to get OTP running now.

Freeradius checks the password and the token against PAM.


The remeining problem is that it requires two steps:


kinit -c cache -n

kinit -p testuser1 -T cache


This does not work with my PAM setup on the client machines out-of-the-box.

I'm using "libpam-krb5" on Debian and openSuSE machines.

>From what I guess is that PAM only tries to do the second step without the FAST cache.


Any ideas?


Thanks & regards

Simon






________________________________
From: Benjamin Kaduk <[hidden email]>
Sent: Friday, July 7, 2017 2:07:34 PM
To: Felix Weissbeck
Cc: [hidden email]; Brennecke, Simon
Subject: Re: Kerberos OTP with FreeRadius

On Fri, Jul 07, 2017 at 11:04:47AM +0200, Felix Weissbeck wrote:
>
> The  "problem" hereby is, that you can now obtain a kerberos ticket with your
> second factor alone; so you could configure PAM to successfully authenticate
> with password+token.

Yes, the FAST/OTP preauthentication mechanism from RFC 6560 uses only
the OTP factor, which makes it a great solution if you already have
deployed OTP infrastructure and need to add a kerberos solution for
your site.  For using OTP as a second factor, it's not really an option.

The current thinking in this space is that the SPAKE preauth scheme
in https://datatracker.ietf.org/doc/draft-ietf-kitten-krb-spake-preauth/
will fill this void, allowing a second factor to be mixed in with a
PAKE password-based preauth, that does not expose anything encrypted
in password-based keys directly on the wire (so as to stymie brute-force
attacks).

-Ben
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Kerberos OTP with FreeRadius

Brennecke, Simon
Hi again,


Aswering my own question:

https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html


One has to add "anon_fast" to the line containing "pam_krb5.so" in /etc/pam.d/common-auth.


Thanks & regards

Simon

________________________________
From: Brennecke, Simon
Sent: Friday, July 14, 2017 10:32:03 AM
To: Benjamin Kaduk; Felix Weissbeck
Cc: [hidden email]
Subject: Re: Kerberos OTP with FreeRadius


Hi guys,


Thank you so much for your help!


I managed to get OTP running now.

Freeradius checks the password and the token against PAM.


The remeining problem is that it requires two steps:


kinit -c cache -n

kinit -p testuser1 -T cache


This does not work with my PAM setup on the client machines out-of-the-box.

I'm using "libpam-krb5" on Debian and openSuSE machines.

>From what I guess is that PAM only tries to do the second step without the FAST cache.


Any ideas?


Thanks & regards

Simon






________________________________
From: Benjamin Kaduk <[hidden email]>
Sent: Friday, July 7, 2017 2:07:34 PM
To: Felix Weissbeck
Cc: [hidden email]; Brennecke, Simon
Subject: Re: Kerberos OTP with FreeRadius

On Fri, Jul 07, 2017 at 11:04:47AM +0200, Felix Weissbeck wrote:
>
> The  "problem" hereby is, that you can now obtain a kerberos ticket with your
> second factor alone; so you could configure PAM to successfully authenticate
> with password+token.

Yes, the FAST/OTP preauthentication mechanism from RFC 6560 uses only
the OTP factor, which makes it a great solution if you already have
deployed OTP infrastructure and need to add a kerberos solution for
your site.  For using OTP as a second factor, it's not really an option.

The current thinking in this space is that the SPAKE preauth scheme
in https://datatracker.ietf.org/doc/draft-ietf-kitten-krb-spake-preauth/
will fill this void, allowing a second factor to be mixed in with a
PAKE password-based preauth, that does not expose anything encrypted
in password-based keys directly on the wire (so as to stymie brute-force
attacks).

-Ben
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Loading...