Yubico Forum

[QUESTION] Using Yubikey with Kerberos
Page 1 of 1

Author:  Himartin [ Mon Nov 30, 2015 9:34 pm ]
Post subject:  [QUESTION] Using Yubikey with Kerberos


is it possible to use use the Yubikey with a Kerberos-Server to obtain the Kerberos tickets and has anybody sucessfully set up such a setup?

I don't care if it needs MIT or Heimdal Kerberos. Also challenge-response or OTP are fine (though the latter probably requires less changes in the client software).
The most recent thread I found for this topic is this one, and it's rather old with most of the links being broken by now.


Author:  asdf345 [ Mon Feb 01, 2016 3:00 am ]
Post subject:  Re: [QUESTION] Using Yubikey with Kerberos

Have a look at FreeIPA, it's already integrated there.
It currently only works with MIT Kerberos on Linux.

Kerberos usually works like this: You request a Login for a certain ID, KDC sends you an encrypted message which you locally decrypt using your password. This obviously doesn't work with OTP.

For OTP FreeIPA uses the following:
You establish a secure channel to the KDC using anonymous PKINIT (you will have to verify the certificate), after that you send Password+OTP in clear text to the KDC, which can use any RADIUS server to verify it.

Other platforms:
Heimdal doesn't support OTP, MIT Kerberos for Windows has issues with PKINIT, Windows doesn't support it at all.
On Mac OS X, you can manually install MIT Kerberos.

It's probably easier to use the Yubikey as a smartcard and use certificate based login.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group