Hi,
Has someone managed to setup OTP 2FA between FreeIPA 4.5.X and Mac OS (High Sierra)? When authenticating with a non 2FA user, works fine.
THE FIRST WAY: native heimdal client:
aae$ kinit --version kinit (Heimdal 1.5.1apple1) Copyright 1995-2011 Kungliga Tekniska Högskolan Send bug-reports to heimdal-bugs@h5l.org aae$
aae$ kdestroy aae$ kinit --anonymous aae$ klist Credentials cache: KCM:74E6A71B-BCB9-43E1-8832-AFC7B17831E7 Principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Issued Expires Principal Jun 20 12:41:07 2018 Jun 21 12:41:06 2018 krbtgt/IDM.CRP@IDM.CRP
aae$ kinit --fast-armor-cache=KCM:74E6A71B-BCB9-43E1-8832-AFC7B17831E7 aae@IDM.CRP kinit: krb5_init_creds_set_fast_ccache: Matching credential (krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS) not found aae$
Found [1] that FAST is supported but is it enough for OTP I have no idea. Tried tcp protocol [2] without success. I can't find information how to activate anon FAST on Mac OS if this protocol is supported. What about OTP? I'm not sure that old heimdal kerberos client is compatible with pkinit/fast. I know so many questions to apple developers and support
--------------------------------------------- THE SECOND WAY: client MIT version krb5-1.16.1 port install kerberos5 ... ---> Installing kerberos5 @1.16.1_0 ...
slightly changed /etc/krb5.conf
aae$ kdestroy kdestroy: No credentials cache found while destroying cache
aae$ kinit -n aae$ klist -A Ticket cache: KCM:501 Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Valid starting Expires Service principal 06/20/2018 12:46:22 06/21/2018 12:46:22 krbtgt/IDM.CRP@IDM.CRP
aae$ kinit -T KCM:501 aae@IDM.CRP Enter OTP Token Value: aae$
aae$ klist -A Ticket cache: KCM:501:2 Default principal: aae@IDM.CRP
Valid starting Expires Service principal 06/20/2018 12:47:13 06/21/2018 12:46:59 krbtgt/IDM.CRP@IDM.CRP
Ticket cache: KCM:501 Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Valid starting Expires Service principal 06/20/2018 12:46:22 06/21/2018 12:46:22 krbtgt/IDM.CRP@IDM.CRP aae$
much much better, but it's not enough because I can't use TGT. As you can see I tried to use KCM cache believing that I use native heimdal KCM server on my Mac, but without success: I do not see any valid tickets here /System/Library/CoreServices/<Ticket Viewer> and of course don't have kerberos related access to corporate resources. ----------------------------------------------
Any help is appreciated. Possible directions/ideas how to implement 2FA on Mac OS without hacks?
I have successfully setup linux using pam-krb5 and anon_fast option.
References: [1] https://www.redhat.com/archives/freeipa-users/2016-December/msg00214.html [2] https://www.redhat.com/archives/freeipa-users/2016-December/msg00219.html
On ke, 20 kesä 2018, Oleksandr Yermolenko via FreeIPA-users wrote:
Hi,
Has someone managed to setup OTP 2FA between FreeIPA 4.5.X and Mac OS (High Sierra)? When authenticating with a non 2FA user, works fine.
THE FIRST WAY: native heimdal client:
aae$ kinit --version kinit (Heimdal 1.5.1apple1) Copyright 1995-2011 Kungliga Tekniska Högskolan Send bug-reports to heimdal-bugs@h5l.org aae$
aae$ kdestroy aae$ kinit --anonymous aae$ klist Credentials cache: KCM:74E6A71B-BCB9-43E1-8832-AFC7B17831E7 Principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Issued Expires Principal Jun 20 12:41:07 2018 Jun 21 12:41:06 2018 krbtgt/IDM.CRP@IDM.CRP
aae$ kinit --fast-armor-cache=KCM:74E6A71B-BCB9-43E1-8832-AFC7B17831E7 aae@IDM.CRP kinit: krb5_init_creds_set_fast_ccache: Matching credential (krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS) not found aae$
Found [1] that FAST is supported but is it enough for OTP I have no idea. Tried tcp protocol [2] without success. I can't find information how to activate anon FAST on Mac OS if this protocol is supported. What about OTP? I'm not sure that old heimdal kerberos client is compatible with pkinit/fast. I know so many questions to apple developers and support
THE SECOND WAY: client MIT version krb5-1.16.1 port install kerberos5 ... ---> Installing kerberos5 @1.16.1_0 ...
slightly changed /etc/krb5.conf
aae$ kdestroy kdestroy: No credentials cache found while destroying cache
aae$ kinit -n aae$ klist -A Ticket cache: KCM:501 Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Valid starting Expires Service principal 06/20/2018 12:46:22 06/21/2018 12:46:22 krbtgt/IDM.CRP@IDM.CRP
aae$ kinit -T KCM:501 aae@IDM.CRP Enter OTP Token Value: aae$
aae$ klist -A Ticket cache: KCM:501:2 Default principal: aae@IDM.CRP
Valid starting Expires Service principal 06/20/2018 12:47:13 06/21/2018 12:46:59 krbtgt/IDM.CRP@IDM.CRP
Ticket cache: KCM:501 Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Valid starting Expires Service principal 06/20/2018 12:46:22 06/21/2018 12:46:22 krbtgt/IDM.CRP@IDM.CRP aae$
much much better, but it's not enough because I can't use TGT. As you can see I tried to use KCM cache believing that I use native heimdal KCM server on my Mac, but without success: I do not see any valid tickets here /System/Library/CoreServices/<Ticket Viewer> and of course don't have kerberos related access to corporate resources.
Any help is appreciated. Possible directions/ideas how to implement 2FA on Mac OS without hacks?
FreeIPA requires a Kerberos implementation with RFC6560 support. Heimdal, to date, doesn't have it implemented.
As for KCM, even though keys are stored in the KCM provided by Heimdal, it doesn't mean that Heimdal client will be able to read and use a ticket obtained by MIT client, at least internally these have completely different structure.
You can get an MIT Kerberos implementation from Macports. I use that myself. However I don’t use it for login, so I haven’t tried the pam support on the Mac. The Macports implementation supports both 2FA and the https proxy. We restrict access to our kerberos servers, so people at home have to use the proxy.
On Jun 20, 2018, at 6:00 AM, Oleksandr Yermolenko via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi,
Has someone managed to setup OTP 2FA between FreeIPA 4.5.X and Mac OS (High Sierra)? When authenticating with a non 2FA user, works fine.
THE FIRST WAY: native heimdal client:
aae$ kinit --version kinit (Heimdal 1.5.1apple1) Copyright 1995-2011 Kungliga Tekniska Högskolan Send bug-reports to heimdal-bugs@h5l.org aae$
aae$ kdestroy aae$ kinit --anonymous aae$ klist Credentials cache: KCM:74E6A71B-BCB9-43E1-8832-AFC7B17831E7 Principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Issued Expires Principal Jun 20 12:41:07 2018 Jun 21 12:41:06 2018 krbtgt/IDM.CRP@IDM.CRP
aae$ kinit --fast-armor-cache=KCM:74E6A71B-BCB9-43E1-8832-AFC7B17831E7 aae@IDM.CRP kinit: krb5_init_creds_set_fast_ccache: Matching credential (krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS) not found aae$
Found [1] that FAST is supported but is it enough for OTP I have no idea. Tried tcp protocol [2] without success. I can't find information how to activate anon FAST on Mac OS if this protocol is supported. What about OTP? I'm not sure that old heimdal kerberos client is compatible with pkinit/fast. I know so many questions to apple developers and support
THE SECOND WAY: client MIT version krb5-1.16.1 port install kerberos5 ... ---> Installing kerberos5 @1.16.1_0 ...
slightly changed /etc/krb5.conf
aae$ kdestroy kdestroy: No credentials cache found while destroying cache
aae$ kinit -n aae$ klist -A Ticket cache: KCM:501 Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Valid starting Expires Service principal 06/20/2018 12:46:22 06/21/2018 12:46:22 krbtgt/IDM.CRP@IDM.CRP
aae$ kinit -T KCM:501 aae@IDM.CRP Enter OTP Token Value: aae$
aae$ klist -A Ticket cache: KCM:501:2 Default principal: aae@IDM.CRP
Valid starting Expires Service principal 06/20/2018 12:47:13 06/21/2018 12:46:59 krbtgt/IDM.CRP@IDM.CRP
Ticket cache: KCM:501 Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Valid starting Expires Service principal 06/20/2018 12:46:22 06/21/2018 12:46:22 krbtgt/IDM.CRP@IDM.CRP aae$ much much better, but it's not enough because I can't use TGT. As you can see I tried to use KCM cache believing that I use native heimdal KCM server on my Mac, but without success: I do not see any valid tickets here /System/Library/CoreServices/<Ticket Viewer> and of course don't have kerberos related access to corporate resources. ----------------------------------------------
Any help is appreciated. Possible directions/ideas how to implement 2FA on Mac OS without hacks?
I have successfully setup linux using pam-krb5 and anon_fast option.
References: [1] https://www.redhat.com/archives/freeipa-users/2016-December/msg00214.html [2] https://www.redhat.com/archives/freeipa-users/2016-December/msg00219.html
-- Oleksandr Yermolenko systems engineer _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Charles Hedrick -
Oleksandr Yermolenko