Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 1:30 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Mon Mar 19, 2012 1:59 pm 
Offline

Joined: Fri Mar 16, 2012 10:58 am
Posts: 5
What is the status of being able to use a Yubikey + cloud auth protocol for authentication with Kerberos?

I don't mind having to run a patched KDC and/or a patched kinit. I'd rather not have patched libkrb5 on the servers being logged into, but I don't think it would be needed anyway (i.e. a Kerberos ticket is just a Kerberos ticket, regardless of how you obtained it)

I found
http://wiki.yubico.com/wiki/index.php/Y ... r_Kerberos
which suggests that the draft for OTP authentication "is not implemented at this time and will require client modifications"

However I also found something which suggests it's possible using an otp preauth plugin for Kerberos:
http://www.kerberos.org/events/2011conf ... rdberg.pdf
https://www.nordu.net/~linus/INSTALL-krb5-fast-otp.html
This tells you to use ykpersonalize to wipe your yubikey. I would prefer to use the cloud auth service, as it makes the token useful across a wider range of services.

There's also
https://twiki.cern.ch/twiki/bin/view/Main/Yubikeys
but it seems to imply that you ssh into a machine, use Yubikey+pam to authenticate, and somehow get your kerberos ticket out of sshd. I can't see how it works, and in any case I'd prefer to kinit with yubikey and then ssh using my kerberos ticket.

So I'd be grateful for an overview of what's possible today, and any info on how to do it.

Thanks,

Brian.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Mar 20, 2012 1:25 pm 
Offline

Joined: Fri Mar 16, 2012 10:58 am
Posts: 5
I read it again and I see that the OTP plugin can use ykclient to authenticate, which uses the cloud service. ykclient is available in ubuntu in the "libykclient-dev" package and works fine.

(Aside: ykclient requires me to provide a client ID but not a secret key. So it seems anyone can make an (unencrypted) auth request using anyone else's client ID. Also: if ykclient has a way to use the API secret key, I can't find it)

Anyway... it looks like the bits are available, but now I need to work out what all this FAST armor stuff is about and how to use it to wrap the requests, probably using anonymous PKINIT:
http://k5wiki.kerberos.org/wiki/Pkinit_configuration


Top
 Profile  
Reply with quote  
PostPosted: Wed May 07, 2014 8:50 am 
Offline

Joined: Wed May 07, 2014 8:15 am
Posts: 1
Hello Brian,

Were you able to get something up and running? We are evaluating the use of yubikeys in our organization and would like to be able to use it as a 2nd factor to obtain kerberos tickets. I don't seem to find much resources on how to do this, apart from using PAM, but in that case, the pam_yubico module is providing the OTP validation and I would prefer that this is handled by the kerberos infrastructure.

Thanks for any response,

Frederic


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group