MIT Kerberos OTP with Windows

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

MIT Kerberos OTP with Windows

Oleksandr Yermolenko
Hi all,

I'm trying to configure a Windows 7 workstation to do OTP preauth.

I've installed MIT Kerberos for Windows 4.1, put krb5.ini as for linux
and ... of course obtain the error "Generic preauthentication
failure". FAST/PKINIT anonymous unsupported ...

any ideas how to implement OTP for Windows with MIT kerberos client?
possible?

thanks a lot for your help

Oleksandr Yermolenko

I can use without any problem on the systems Debian/CentOS based
according to [1] and [2]

[1] https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html
[2] http://mailman.mit.edu/pipermail/kerberos/2017-July/021747.html
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: MIT Kerberos OTP with Windows

Pallissard, Matthew-3
> any ideas how to implement OTP for Windows with MIT kerberos client? possible?

I don't know if KFW 4.1 supports OTP but what I do know is that in the past I couldn't get PKINIT working with KFW. I had to implement heimdal on the client end.

https://www.mail-archive.com/kfwdev@.../msg00822.html

Could be related.  Someone here could probably speak to that better than myself though.


Matt Pallissard
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: MIT Kerberos OTP with Windows

Benjamin Kaduk-2
On Mon, Oct 30, 2017 at 09:05:10AM -0700, Pallissard, Matthew wrote:
> > any ideas how to implement OTP for Windows with MIT kerberos client? possible?
>
> I don't know if KFW 4.1 supports OTP but what I do know is that in the past I couldn't get PKINIT working with KFW. I had to implement heimdal on the client end.
>
> https://www.mail-archive.com/kfwdev@.../msg00822.html
>
> Could be related.  Someone here could probably speak to that better than myself though.

It's quite related, yes.

The FAST OTP mechanism of RFC 6560 requires a FAST tunnel to exist over
which the OTP value is sent.  Generally this tunnel is obtained via
anonymous PKINIT, but PKINIT of all forms is not currently implemented
in KfW.  In principle, the needed FAST tunnel could be obtained in
other ways, e.g., via a machine keytab, but the number of situations
in which these other methods would actually be useful are quite limited.

-Ben
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: MIT Kerberos OTP with Windows

Oleksandr Yermolenko
thanks for your notes and direction

Oleksandr Yermolenko

On Mon, 30 Oct 2017 20:11:25 -0500
Benjamin Kaduk <[hidden email]> wrote:

> On Mon, Oct 30, 2017 at 09:05:10AM -0700, Pallissard, Matthew wrote:
> > > any ideas how to implement OTP for Windows with MIT kerberos
> > > client? possible?  
> >
> > I don't know if KFW 4.1 supports OTP but what I do know is that in
> > the past I couldn't get PKINIT working with KFW. I had to implement
> > heimdal on the client end.
> >
> > https://www.mail-archive.com/kfwdev@.../msg00822.html
> >
> > Could be related.  Someone here could probably speak to that better
> > than myself though.  
>
> It's quite related, yes.
>
> The FAST OTP mechanism of RFC 6560 requires a FAST tunnel to exist
> over which the OTP value is sent.  Generally this tunnel is obtained
> via anonymous PKINIT, but PKINIT of all forms is not currently
> implemented in KfW.  In principle, the needed FAST tunnel could be
> obtained in other ways, e.g., via a machine keytab, but the number of
> situations in which these other methods would actually be useful are
> quite limited.
>
> -Ben
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: MIT Kerberos OTP with Windows

Dmitri Pal
In reply to this post by Benjamin Kaduk-2
On Mon, Oct 30, 2017 at 9:11 PM, Benjamin Kaduk <[hidden email]> wrote:

> On Mon, Oct 30, 2017 at 09:05:10AM -0700, Pallissard, Matthew wrote:
> > > any ideas how to implement OTP for Windows with MIT kerberos client?
> possible?
> >
> > I don't know if KFW 4.1 supports OTP but what I do know is that in the
> past I couldn't get PKINIT working with KFW. I had to implement heimdal on
> the client end.
> >
> > https://www.mail-archive.com/kfwdev@.../msg00822.html
> >
> > Could be related.  Someone here could probably speak to that better than
> myself though.
>
> It's quite related, yes.
>
> The FAST OTP mechanism of RFC 6560 requires a FAST tunnel to exist over
> which the OTP value is sent.  Generally this tunnel is obtained via
> anonymous PKINIT, but PKINIT of all forms is not currently implemented
> in KfW.  In principle, the needed FAST tunnel could be obtained in
> other ways, e.g., via a machine keytab, but the number of situations
> in which these other methods would actually be useful are quite limited.
>


​This is why moving to SPAKE will make OTP easier to accomplish and support
with KfW.​



>
> -Ben
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>


--

Thank you,
Dmitri Pal

Engineering Director, Identity Management and Platform Security
Red Hat, Inc.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: MIT Kerberos OTP with Windows

Oleksandr Yermolenko
In reply to this post by Pallissard, Matthew-3
On Mon, 30 Oct 2017 09:05:10 -0700
"Pallissard, Matthew" <[hidden email]> wrote:

> > any ideas how to implement OTP for Windows with MIT kerberos
> > client? possible?  
>
> I don't know if KFW 4.1 supports OTP but what I do know is that in
> the past I couldn't get PKINIT working with KFW. I had to implement
> heimdal on the client end.

Matt,

have yo managed to setup anonymous FAST/PKINIT tunnel using heimdal
as windows client? just want to clarify.

Oleksandr Yermolenko

>
> https://www.mail-archive.com/kfwdev@.../msg00822.html
>
> Could be related.  Someone here could probably speak to that better
> than myself though.
>
>
> Matt Pallissard
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: MIT Kerberos OTP with Windows

Charles Hedrick
In reply to this post by Oleksandr Yermolenko
You could issue a machine-specific key table, and then use a script that does kinit from the key table, then kinit -T pointing to the resulting credentials cache. I have verified the KfW kinit -T works.

We use OTP on Linux. I can’t get FAST/PKINIT to work there either. I have a kerberized service (using the machine’s key table) that will generate a credentials cache on a server and return it. That’s used to bootstrap kinit -T.

Surely there was a better approach than getting X509 involved in kerberos. I look forward to any alternatives.

My problem with KfW is more serious: I can’t get putty to see the tickets. That makes it of no real use to me. I’m going to try installing Ubuntu on Windows.

> On Oct 30, 2017, at 5:25 AM, Oleksandr Yermolenko <[hidden email]> wrote:
>
> Hi all,
>
> I'm trying to configure a Windows 7 workstation to do OTP preauth.
>
> I've installed MIT Kerberos for Windows 4.1, put krb5.ini as for linux
> and ... of course obtain the error "Generic preauthentication
> failure". FAST/PKINIT anonymous unsupported ...
>
> any ideas how to implement OTP for Windows with MIT kerberos client?
> possible?
>
> thanks a lot for your help
>
> Oleksandr Yermolenko
>
> I can use without any problem on the systems Debian/CentOS based
> according to [1] and [2]
>
> [1] https://na01.safelinks.protection.outlook.com/?url=https:%2F%2Fwww.eyrie.org%2F~eagle%2Fsoftware%2Fpam-krb5%2Fpam-krb5.html&data=02%7C01%7Chedrick%40rutgers.edu%7C9d7e7243d2584751e24f08d51f789b14%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636449525221981239&sdata=YBF9PR3Pb9Hp7E2JewIVBH7%2B2OKCVWmrUpShS5jVgrI%3D&reserved=0
> [2] https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmailman.mit.edu%2Fpipermail%2Fkerberos%2F2017-July%2F021747.html&data=02%7C01%7Chedrick%40rutgers.edu%7C9d7e7243d2584751e24f08d51f789b14%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636449525221981239&sdata=%2BW5z617hkF39IGa29zFBAJj7JJWKGFnBQG891F7ZNb0%3D&reserved=0
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.mit.edu%2Fmailman%2Flistinfo%2Fkerberos&data=02%7C01%7Chedrick%40rutgers.edu%7C9d7e7243d2584751e24f08d51f789b14%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636449525221981239&sdata=U%2BlGLzBr0hX5ZZisc%2Frb2CK%2FRxs34kj%2BBdo0gbJZxUk%3D&reserved=0


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: MIT Kerberos OTP with Windows

Benjamin Kaduk-2
On Wed, Nov 01, 2017 at 06:06:23PM +0000, Charles Hedrick wrote:
>
> My problem with KfW is more serious: I can’t get putty to see the tickets. That makes it of no real use to me. I’m going to try installing Ubuntu on Windows.

I was able to reliably get putty working with GSSAPI/Kerberos when I was
working on KfW.  The putty settings were kind of buried, though.
I guess https://www.pdc.kth.se/resources/software/login-1/windows/putty suggests
that Connection-->SSH-->Auth-->GSSAPI is where the checkboxes are hiding,
though there may have been one other thing that needed tweaking.

Hope this helps,

Ben
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: MIT Kerberos OTP with Windows

Charles Hedrick

I’ll try agian. Also KfW doesn’t seem to implement kdc proxy. I’d prefer not to open my kdc to the world. I’m currrently using the Proxy for home use.

> On Nov 1, 2017, at 2:30:55 PM, Benjamin Kaduk <[hidden email]> wrote:
>
> On Wed, Nov 01, 2017 at 06:06:23PM +0000, Charles Hedrick wrote:
>>
>> My problem with KfW is more serious: I can’t get putty to see the tickets. That makes it of no real use to me. I’m going to try installing Ubuntu on Windows.
>
> I was able to reliably get putty working with GSSAPI/Kerberos when I was
> working on KfW.  The putty settings were kind of buried, though.
> I guess https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.pdc.kth.se%2Fresources%2Fsoftware%2Flogin-1%2Fwindows%2Fputty&data=02%7C01%7Chedrick%40rutgers.edu%7C521eeb656f7b42ebd83f08d52156b789%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636451578683920759&sdata=zDfnligBmlY1W9mDPKxXYKffvGEbRwJfUgX0t2pnT7s%3D&reserved=0 suggests
> that Connection-->SSH-->Auth-->GSSAPI is where the checkboxes are hiding,
> though there may have been one other thing that needed tweaking.
>
> Hope this helps,
>
> Ben


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: MIT Kerberos OTP with Windows

Benjamin Kaduk-2
On Wed, Nov 01, 2017 at 10:30:36PM +0000, Charles Hedrick wrote:
>
> I’ll try agian. Also KfW doesn’t seem to implement kdc proxy. I’d prefer not to open my kdc to the world. I’m currrently using the Proxy for home use.

Hmm, could you say a bit more about what version of KfW you're using and
how you've tried to configure MS-KKDCP?  From the release notes, at least,
it seems that KfW 4.1 should have this support available in some form.

-Ben
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: MIT Kerberos OTP with Windows

Charles Hedrick
I’m using KfW 4.1. Since there’s no documentation on krb5.ini, I used the same syntax as for krb5.conf

 kdc = https://services.cs.rutgers.edu/KdcProxy

I’m not using http_anchor, since we have a commercial cert, and other implementations don’t need us to specify a CA cert.

The error message says no kdc is reachable.

On Nov 2, 2017, at 7:33 PM, Benjamin Kaduk <[hidden email]<mailto:[hidden email]>> wrote:

On Wed, Nov 01, 2017 at 10:30:36PM +0000, Charles Hedrick wrote:

I’ll try agian. Also KfW doesn’t seem to implement kdc proxy. I’d prefer not to open my kdc to the world. I’m currrently using the Proxy for home use.

Hmm, could you say a bit more about what version of KfW you're using and
how you've tried to configure MS-KKDCP?  From the release notes, at least,
it seems that KfW 4.1 should have this support available in some form.

-Ben

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: MIT Kerberos OTP with Windows

Charles Hedrick
Here’s the conversation using tcpdump on the proxy server. The connection opens, no data is sent in either direction, and KfW closes it.

In case it matters, KfW is running in Windows 10 Fall Creator’s Update in a VM on a Mac.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens32, link-type EN10MB (Ethernet), capture size 262144 bytes
09:48:51.655867 IP heidelberg.cs.rutgers.edu.64543 > services.cs.rutgers.edu.https: Flags [S], seq 1112026556, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 348866560 ecr 0,sackOK,eol], length 0
09:48:51.655986 IP services.cs.rutgers.edu.https > heidelberg.cs.rutgers.edu.64543: Flags [S.], seq 990987710, ack 1112026557, win 28960, options [mss 1460,sackOK,TS val 32546177 ecr 348866560,nop,wscale 7], length 0
09:48:51.656291 IP heidelberg.cs.rutgers.edu.64543 > services.cs.rutgers.edu.https: Flags [.], ack 1, win 4117, options [nop,nop,TS val 348866560 ecr 32546177], length 0
09:48:51.656783 IP heidelberg.cs.rutgers.edu.64543 > services.cs.rutgers.edu.https: Flags [F.], seq 1, ack 1, win 4117, options [nop,nop,TS val 348866560 ecr 32546177], length 0
09:48:51.657145 IP services.cs.rutgers.edu.https > heidelberg.cs.rutgers.edu.64543: Flags [F.], seq 1, ack 2, win 227, options [nop,nop,TS val 32546178 ecr 348866560], length 0
09:48:51.657401 IP heidelberg.cs.rutgers.edu.64543 > services.cs.rutgers.edu.https: Flags [.], ack 2, win 4117, options [nop,nop,TS val 348866561 ecr 32546178], length 0


> On Nov 3, 2017, at 9:30 AM, Charles Hedrick <[hidden email]> wrote:
>
> I’m using KfW 4.1. Since there’s no documentation on krb5.ini, I used the same syntax as for krb5.conf
>
> kdc = https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fservices.cs.rutgers.edu%2FKdcProxy&data=02%7C01%7Chedrick%40rutgers.edu%7Cc5a5c58bfd4c4b5356c508d522bf5ffa%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636453127701447995&sdata=BfTwuAAxnIuu1H0RpVWLHcdUIC%2FE7th8V5Gjf0EMg8g%3D&reserved=0
>
> I’m not using http_anchor, since we have a commercial cert, and other implementations don’t need us to specify a CA cert.
>
> The error message says no kdc is reachable.
>
> On Nov 2, 2017, at 7:33 PM, Benjamin Kaduk <[hidden email]<mailto:[hidden email]>> wrote:
>
> On Wed, Nov 01, 2017 at 10:30:36PM +0000, Charles Hedrick wrote:
>
> I’ll try agian. Also KfW doesn’t seem to implement kdc proxy. I’d prefer not to open my kdc to the world. I’m currrently using the Proxy for home use.
>
> Hmm, could you say a bit more about what version of KfW you're using and
> how you've tried to configure MS-KKDCP?  From the release notes, at least,
> it seems that KfW 4.1 should have this support available in some form.
>
> -Ben
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.mit.edu%2Fmailman%2Flistinfo%2Fkerberos&data=02%7C01%7Chedrick%40rutgers.edu%7Cc5a5c58bfd4c4b5356c508d522bf5ffa%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636453127701447995&sdata=KYGuhWAWrMMoTNtVLcDUzAEXQ46wZFJqi7z1c4S%2FIgc%3D&reserved=0


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: MIT Kerberos OTP with Windows

Charles Hedrick
It works fine in a copy of Ubuntu running in Linux for Windows on the same Windows 10 machine.

> On Nov 3, 2017, at 9:53 AM, Charles Hedrick <[hidden email]> wrote:
>
> Here’s the conversation using tcpdump on the proxy server. The connection opens, no data is sent in either direction, and KfW closes it.
>
> In case it matters, KfW is running in Windows 10 Fall Creator’s Update in a VM on a Mac.
>
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on ens32, link-type EN10MB (Ethernet), capture size 262144 bytes
> 09:48:51.655867 IP heidelberg.cs.rutgers.edu.64543 > services.cs.rutgers.edu.https: Flags [S], seq 1112026556, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 348866560 ecr 0,sackOK,eol], length 0
> 09:48:51.655986 IP services.cs.rutgers.edu.https > heidelberg.cs.rutgers.edu.64543: Flags [S.], seq 990987710, ack 1112026557, win 28960, options [mss 1460,sackOK,TS val 32546177 ecr 348866560,nop,wscale 7], length 0
> 09:48:51.656291 IP heidelberg.cs.rutgers.edu.64543 > services.cs.rutgers.edu.https: Flags [.], ack 1, win 4117, options [nop,nop,TS val 348866560 ecr 32546177], length 0
> 09:48:51.656783 IP heidelberg.cs.rutgers.edu.64543 > services.cs.rutgers.edu.https: Flags [F.], seq 1, ack 1, win 4117, options [nop,nop,TS val 348866560 ecr 32546177], length 0
> 09:48:51.657145 IP services.cs.rutgers.edu.https > heidelberg.cs.rutgers.edu.64543: Flags [F.], seq 1, ack 2, win 227, options [nop,nop,TS val 32546178 ecr 348866560], length 0
> 09:48:51.657401 IP heidelberg.cs.rutgers.edu.64543 > services.cs.rutgers.edu.https: Flags [.], ack 2, win 4117, options [nop,nop,TS val 348866561 ecr 32546178], length 0
>
>
>> On Nov 3, 2017, at 9:30 AM, Charles Hedrick <[hidden email]> wrote:
>>
>> I’m using KfW 4.1. Since there’s no documentation on krb5.ini, I used the same syntax as for krb5.conf
>>
>> kdc = https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fservices.cs.rutgers.edu%2FKdcProxy&data=02%7C01%7Chedrick%40rutgers.edu%7Cc5a5c58bfd4c4b5356c508d522bf5ffa%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636453127701447995&sdata=BfTwuAAxnIuu1H0RpVWLHcdUIC%2FE7th8V5Gjf0EMg8g%3D&reserved=0
>>
>> I’m not using http_anchor, since we have a commercial cert, and other implementations don’t need us to specify a CA cert.
>>
>> The error message says no kdc is reachable.
>>
>> On Nov 2, 2017, at 7:33 PM, Benjamin Kaduk <[hidden email]<mailto:[hidden email]>> wrote:
>>
>> On Wed, Nov 01, 2017 at 10:30:36PM +0000, Charles Hedrick wrote:
>>
>> I’ll try agian. Also KfW doesn’t seem to implement kdc proxy. I’d prefer not to open my kdc to the world. I’m currrently using the Proxy for home use.
>>
>> Hmm, could you say a bit more about what version of KfW you're using and
>> how you've tried to configure MS-KKDCP?  From the release notes, at least,
>> it seems that KfW 4.1 should have this support available in some form.
>>
>> -Ben
>>
>> ________________________________________________
>> Kerberos mailing list           [hidden email]
>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.mit.edu%2Fmailman%2Flistinfo%2Fkerberos&data=02%7C01%7Chedrick%40rutgers.edu%7Cc5a5c58bfd4c4b5356c508d522bf5ffa%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636453127701447995&sdata=KYGuhWAWrMMoTNtVLcDUzAEXQ46wZFJqi7z1c4S%2FIgc%3D&reserved=0
>


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: MIT Kerberos OTP with Windows

Greg Hudson
In reply to this post by Benjamin Kaduk-2
On 11/02/2017 07:33 PM, Benjamin Kaduk wrote:
> Hmm, could you say a bit more about what version of KfW you're using and
> how you've tried to configure MS-KKDCP?  From the release notes, at least,
> it seems that KfW 4.1 should have this support available in some form.

The TLS part of MS-KKDCP (which is mandatory; there's no non-HTTPS proxy
mode) is implemented as an auto-loaded plugin module linked against
OpenSSL.  Although I believe we have working module loading support for
Windows, the Windows build doesn't compile any plugin modules and
doesn't link against OpenSSL.  So this feature unfortunately didn't make
it into KfW, for mostly the same reasons as PKINIT isn't supported.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos