Yubico Forum

Re: Status of Yubikey and Kerberos

2014-05-07T08:50:08+01:00

Hello Brian,

Were you able to get something up and running? We are evaluating the use of yubikeys in our organization and would like to be able to use it as a 2nd factor to obtain kerberos tickets. I don't seem to find much resources on how to do this, apart from using PAM, but in that case, the pam_yubico module is providing the OTP validation and I would prefer that this is handled by the kerberos infrastructure.

Thanks for any response,

Frederic

Statistics: Posted by fredericve — Wed May 07, 2014 8:50 am

Re: Status of Yubikey and Kerberos

2012-03-20T13:25:37+01:00

I read it again and I see that the OTP plugin can use ykclient to authenticate, which uses the cloud service. ykclient is available in ubuntu in the "libykclient-dev" package and works fine.

(Aside: ykclient requires me to provide a client ID but not a secret key. So it seems anyone can make an (unencrypted) auth request using anyone else's client ID. Also: if ykclient has a way to use the API secret key, I can't find it)

Anyway... it looks like the bits are available, but now I need to work out what all this FAST armor stuff is about and how to use it to wrap the requests, probably using anonymous PKINIT:
http://k5wiki.kerberos.org/wiki/Pkinit_configuration

Statistics: Posted by brian_sm — Tue Mar 20, 2012 1:25 pm

Status of Yubikey and Kerberos

2012-03-19T13:59:05+01:00

What is the status of being able to use a Yubikey + cloud auth protocol for authentication with Kerberos?

I don't mind having to run a patched KDC and/or a patched kinit. I'd rather not have patched libkrb5 on the servers being logged into, but I don't think it would be needed anyway (i.e. a Kerberos ticket is just a Kerberos ticket, regardless of how you obtained it)

I found
http://wiki.yubico.com/wiki/index.php/Y ... r_Kerberos
which suggests that the draft for OTP authentication "is not implemented at this time and will require client modifications"

However I also found something which suggests it's possible using an otp preauth plugin for Kerberos:
http://www.kerberos.org/events/2011conf ... rdberg.pdf
https://www.nordu.net/~linus/INSTALL-krb5-fast-otp.html
This tells you to use ykpersonalize to wipe your yubikey. I would prefer to use the cloud auth service, as it makes the token useful across a wider range of services.

There's also
https://twiki.cern.ch/twiki/bin/view/Main/Yubikeys
but it seems to imply that you ssh into a machine, use Yubikey+pam to authenticate, and somehow get your kerberos ticket out of sshd. I can't see how it works, and in any case I'd prefer to kinit with yubikey and then ssh using my kerberos ticket.

So I'd be grateful for an overview of what's possible today, and any info on how to do it.

Thanks,

Brian.

Statistics: Posted by brian_sm — Mon Mar 19, 2012 1:59 pm