OTP Preauthentication — MIT Kerberos Documentation MIT Kerberos Documentation Contents | previous | next | index | Search | feedback OTP Preauthentication¶ OTP is a preauthentication mechanism for Kerberos 5 which uses One Time Passwords (OTP) to authenticate the client to the KDC. The OTP is passed to the KDC over an encrypted FAST channel in clear-text. The KDC uses the password along with per-user configuration to proxy the request to a third-party RADIUS system. This enables out-of-the-box compatibility with a large number of already widely deployed proprietary systems. Additionally, our implementation of the OTP system allows for the passing of RADIUS requests over a UNIX domain stream socket. This permits the use of a local companion daemon which can handle the details of authentication. Defining token types¶ Token types are defined in either krb5.conf or kdc.conf according to the following format: [otp]
= {
server = (default: see below)
secret =
timeout = (default: 5 [seconds])
retries = (default: 3)
strip_realm = (default: true)
indicator = (default: none)
}
If the server field begins with ‘/’, it will be interpreted as a UNIX socket. Otherwise, it is assumed to be in the format host:port. When a UNIX domain socket is specified, the secret field is optional and an empty secret is used by default. If the server field is not specified, it defaults to RUNSTATEDIR/krb5kdc/.socket. When forwarding the request over RADIUS, by default the principal is used in the User-Name attribute of the RADIUS packet. The strip_realm parameter controls whether the principal is forwarded with or without the realm portion. If an indicator field is present, tickets issued using this token type will be annotated with the specified authentication indicator (see Authentication indicators). This key may be specified multiple times to add multiple indicators. The default token type¶ A default token type is used internally when no token type is specified for a given user. It is defined as follows: [otp]
DEFAULT = {
strip_realm = false
}
The administrator may override the internal DEFAULT token type simply by defining a configuration with the same name. Token instance configuration¶ To enable OTP for a client principal, the administrator must define the otp string attribute for that principal. (See set_string.) The otp user string is a JSON string of the format: [{
"type": ,
"username": ,
"indicators": [, ...]
}, ...]
This is an array of token objects. Both fields of token objects are optional. The type field names the token type of this token; if not specified, it defaults to DEFAULT. The username field specifies the value to be sent in the User-Name RADIUS attribute. If not specified, the principal name is sent, with or without realm as defined in the token type. The indicators field specifies a list of authentication indicators to annotate tickets with, overriding any indicators specified in the token type. For ease of configuration, an empty array ([]) is treated as equivalent to one DEFAULT token ([{}]). Other considerations¶ FAST is required for OTP to work. On this page OTP Preauthentication Defining token types The default token type Token instance configuration Other considerations Table of contents For users For administrators Installation guide Configuration Files Realm configuration decisions Database administration Database types Account lockout Configuring Kerberos with OpenLDAP back-end Application servers Host configuration Backups of secure hosts PKINIT configuration OTP Preauthentication SPAKE Preauthentication Addressing dictionary attack risks Principal names and DNS Encryption types HTTPS proxy configuration Authentication indicators Administration programs MIT Kerberos defaults Environment variables Troubleshooting Advanced topics Various links For application developers For plugin module developers Building Kerberos V5 Kerberos V5 concepts Protocols and file formats MIT Kerberos features How to build this documentation from the source Contributing to the MIT Kerberos Documentation Resources Full Table of Contents Search Release: 1.20 © Copyright 1985-2022, MIT. Contents | previous | next | index | Search | feedback