windows kerberos update?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

windows kerberos update?

Charles Hedrick
We’re starting to use Windows Kerberos, with a 3rd party login screen that calls Kerberos. Some of our staff use FreeOTP 2FA. As far as I can tell, the most recent KfW doesn’t support 2FA or the https: proxy. Are there plans for a new release that would do so?


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: windows kerberos update?

Greg Hudson
On 1/16/19 11:23 AM, Charles Hedrick wrote:
> We’re starting to use Windows Kerberos, with a 3rd party login screen that calls Kerberos. Some of our staff use FreeOTP 2FA. As far as I can tell, the most recent KfW doesn’t support 2FA or the https: proxy.

KfW 4.1 is based on krb5 1.13, which includes the OTP client code, so I
think that's only half correct.

> Are there plans for a new release that would do so?

I was planning to do a Windows release based on the 1.17 branch (for
SPAKE support, if nothing else), but I don't have a specific time-table.

HTTPS proxy support is not currently part of the Windows build, because
of the OpenSSL dependency.  I can make an attempt to bring that in when
I make time to do work on the Windows port.  (Bringing in an OpenSSL
dependency would also make it possible to enable PKINIT support, though
that might also require some work on the PKINIT code.)

It is now possible to build the Windows installer from source using the
community (no-cost) version of the MS compiler.  See src/windows/README
in the source tree for details.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: windows kerberos update?

Charles Hedrick
Thanks. We’ll try to OTP. If there’s no PKINIT, I guess that means the armor will have to come from the machine credentials. That should be workable.

A couple of us do kinit from home on the Mac. I don’t have a long list of people asking for it for Windows, but if a couple of people do it for Mac probably a few would do it for Windows as well. I’m paranoid enough about the server to want use from outside the department to go through the proxy.

On Jan 16, 2019, at 12:01:19 PM, Greg Hudson <[hidden email]> wrote:

On 1/16/19 11:23 AM, Charles Hedrick wrote:
We’re starting to use Windows Kerberos, with a 3rd party login screen that calls Kerberos. Some of our staff use FreeOTP 2FA. As far as I can tell, the most recent KfW doesn’t support 2FA or the https: proxy.

KfW 4.1 is based on krb5 1.13, which includes the OTP client code, so I
think that's only half correct.

Are there plans for a new release that would do so?

I was planning to do a Windows release based on the 1.17 branch (for
SPAKE support, if nothing else), but I don't have a specific time-table.

HTTPS proxy support is not currently part of the Windows build, because
of the OpenSSL dependency.  I can make an attempt to bring that in when
I make time to do work on the Windows port.  (Bringing in an OpenSSL
dependency would also make it possible to enable PKINIT support, though
that might also require some work on the PKINIT code.)

It is now possible to build the Windows installer from source using the
community (no-cost) version of the MS compiler.  See src/windows/README
in the source tree for details.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: windows kerberos update?

Charles Hedrick
In reply to this post by Greg Hudson
I just verified that OTP does work. Thanks.

> On Jan 16, 2019, at 12:01 PM, Greg Hudson <[hidden email]> wrote:
>
> On 1/16/19 11:23 AM, Charles Hedrick wrote:
>> We’re starting to use Windows Kerberos, with a 3rd party login screen that calls Kerberos. Some of our staff use FreeOTP 2FA. As far as I can tell, the most recent KfW doesn’t support 2FA or the https: proxy.
>
> KfW 4.1 is based on krb5 1.13, which includes the OTP client code, so I
> think that's only half correct.
>
>> Are there plans for a new release that would do so?
>
> I was planning to do a Windows release based on the 1.17 branch (for
> SPAKE support, if nothing else), but I don't have a specific time-table.
>
> HTTPS proxy support is not currently part of the Windows build, because
> of the OpenSSL dependency.  I can make an attempt to bring that in when
> I make time to do work on the Windows port.  (Bringing in an OpenSSL
> dependency would also make it possible to enable PKINIT support, though
> that might also require some work on the PKINIT code.)
>
> It is now possible to build the Windows installer from source using the
> community (no-cost) version of the MS compiler.  See src/windows/README
> in the source tree for details.


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos