Yubico Forum ...visit our web-store at 2016-02-01T03:00:40+01:00 https://forum.yubico.com/feed.php?f=16&t=2113 2016-02-01T03:00:40+01:00 2016-02-01T03:00:40+01:00 https://forum.yubico.com/viewtopic.php?t=2113&p=8236#p8236 <![CDATA[Re: [QUESTION] Using Yubikey with Kerberos]]> It currently only works with MIT Kerberos on Linux.

Kerberos usually works like this: You request a Login for a certain ID, KDC sends you an encrypted message which you locally decrypt using your password. This obviously doesn't work with OTP.

For OTP FreeIPA uses the following:
You establish a secure channel to the KDC using anonymous PKINIT (you will have to verify the certificate), after that you send Password+OTP in clear text to the KDC, which can use any RADIUS server to verify it.

Other platforms:
Heimdal doesn't support OTP, MIT Kerberos for Windows has issues with PKINIT, Windows doesn't support it at all.
On Mac OS X, you can manually install MIT Kerberos.

It's probably easier to use the Yubikey as a smartcard and use certificate based login.

Statistics: Posted by asdf345 — Mon Feb 01, 2016 3:00 am

]]> 2015-11-30T21:34:19+01:00 2015-11-30T21:34:19+01:00 https://forum.yubico.com/viewtopic.php?t=2113&p=8033#p8033 <![CDATA[[QUESTION] Using Yubikey with Kerberos]]>
is it possible to use use the Yubikey with a Kerberos-Server to obtain the Kerberos tickets and has anybody sucessfully set up such a setup?

I don't care if it needs MIT or Heimdal Kerberos. Also challenge-response or OTP are fine (though the latter probably requires less changes in the client software).
The most recent thread I found for this topic is this one, and it's rather old with most of the links being broken by now.

Thanks

Statistics: Posted by Himartin — Mon Nov 30, 2015 9:34 pm

]]>