Kerberos OTP with RADIUS for kadmin

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Kerberos OTP with RADIUS for kadmin

John Devitofranceschi

I’m thinking about securing Kerberos administrative principals (*/admin and the like) with OTP using RADIUS.

Will kadmin take kindly to that?  

I have all the parts (RADIUS server, KDC, etc).  I just need to glue them together, but it would be nice to know first if it’s worth the effort.


Thanks in advance for any info!

jd
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos OTP with RADIUS for kadmin

Robbie Harwood
John Devitofranceschi <[hidden email]> writes:

> I’m thinking about securing Kerberos administrative principals
> (*/admin and the like) with OTP using RADIUS.
>
> Will kadmin take kindly to that?  
>
> I have all the parts (RADIUS server, KDC, etc).  I just need to glue
> them together, but it would be nice to know first if it’s worth the
> effort.

(FreeIPA supports configuration of OTP/RADIUS for all user principals,
but we don't use the kadmin CLI interface, so I can't speak to this,
sorry.)

Thanks,
--Robbie



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

signature.asc (847 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos OTP with RADIUS for kadmin

Greg Hudson
In reply to this post by John Devitofranceschi
On 08/16/2018 06:41 PM, John Devitofranceschi wrote:
> I’m thinking about securing Kerberos administrative principals (*/admin and the like) with OTP using RADIUS.
>
> Will kadmin take kindly to that?

I believe it should be fine.  We don't test that particular combination
as far as I know, but we do test kadmin with anonymous PKINIT.  I
checked the code and it uses the appropriate interface to be able to
prompt for an OTP code as well as the password.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos