Discussion:
Information request Duo Integration for kinit
Booker Bense
2015-10-16 16:23:07 UTC
Permalink
In poking around on the web, I've found that MIT has some duo integration
for
the kinit program.

Is there any docmentation available on how this was implemented?

thanks,

- Booker C. Bense
________________________________________________
Kerberos mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Greg Hudson
2015-10-16 21:49:03 UTC
Permalink
Post by Booker Bense
In poking around on the web, I've found that MIT has some duo integration
for
the kinit program.
Is there any docmentation available on how this was implemented?
It's a custom kdcpreauth module using the SAM-2 mechanism, with repeated
KDC_ERR_PREAUTH_REQUIRED responses and KDC state. We are hoping to make
it open source at some point, but need to do some cleanup first.

The security properties of SAM-2 aren't great, and it isn't implemented
in any krb5 implementation other than MIT's. We are also working on a
SPAKE2-based preauth mechanism which should eventually enable a much
better integration of second factors, including Duo.

(CC'd Richard Basch as he asked the same question a couple of weeks ago.)
________________________________________________
Kerberos mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Loading...