1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>OTP Preauthentication — MIT Kerberos Documentation</title>
<link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../',
VERSION: '1.15.1',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<link rel="author" title="About these documents" href="../about.html" />
<link rel="copyright" title="Copyright" href="../copyright.html" />
<link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
<link rel="up" title="For administrators" href="index.html" />
<link rel="next" title="Principal names and DNS" href="princ_dns.html" />
<link rel="prev" title="PKINIT configuration" href="pkinit.html" />
</head>
<body>
<div class="header-wrapper">
<div class="header">
<h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
<div class="rel">
<a href="../index.html" title="Full Table of Contents"
accesskey="C">Contents</a> |
<a href="pkinit.html" title="PKINIT configuration"
accesskey="P">previous</a> |
<a href="princ_dns.html" title="Principal names and DNS"
accesskey="N">next</a> |
<a href="../genindex.html" title="General Index"
accesskey="I">index</a> |
<a href="../search.html" title="Enter search criteria"
accesskey="S">Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__OTP Preauthentication">feedback</a>
</div>
</div>
</div>
<div class="content-wrapper">
<div class="content">
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body">
<div class="section" id="otp-preauthentication">
<span id="otp-preauth"></span><h1>OTP Preauthentication<a class="headerlink" href="#otp-preauthentication" title="Permalink to this headline">¶</a></h1>
<p>OTP is a preauthentication mechanism for Kerberos 5 which uses One
Time Passwords (OTP) to authenticate the client to the KDC. The OTP
is passed to the KDC over an encrypted FAST channel in clear-text.
The KDC uses the password along with per-user configuration to proxy
the request to a third-party RADIUS system. This enables
out-of-the-box compatibility with a large number of already widely
deployed proprietary systems.</p>
<p>Additionally, our implementation of the OTP system allows for the
passing of RADIUS requests over a UNIX domain stream socket. This
permits the use of a local companion daemon which can handle the
details of authentication.</p>
<div class="section" id="defining-token-types">
<h2>Defining token types<a class="headerlink" href="#defining-token-types" title="Permalink to this headline">¶</a></h2>
<p>Token types are defined in either <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> or
<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> according to the following format:</p>
<div class="highlight-python"><div class="highlight"><pre>[otp]
<name> = {
server = <host:port or filename> (default: see below)
secret = <filename>
timeout = <integer> (default: 5 [seconds])
retries = <integer> (default: 3)
strip_realm = <boolean> (default: true)
indicator = <string> (default: none)
}
</pre></div>
</div>
<p>If the server field begins with ‘/’, it will be interpreted as a UNIX
socket. Otherwise, it is assumed to be in the format host:port. When
a UNIX domain socket is specified, the secret field is optional and an
empty secret is used by default. If the server field is not
specified, it defaults to <a class="reference internal" href="../mitK5defaults.html#paths"><em>RUNSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/<name>.socket</span></tt>.</p>
<p>When forwarding the request over RADIUS, by default the principal is
used in the User-Name attribute of the RADIUS packet. The strip_realm
parameter controls whether the principal is forwarded with or without
the realm portion.</p>
<p>If an indicator field is present, tickets issued using this token type
will be annotated with the specified authentication indicator (see
<a class="reference internal" href="auth_indicator.html#auth-indicator"><em>Authentication indicators</em></a>). This key may be specified multiple times to
add multiple indicators.</p>
</div>
<div class="section" id="the-default-token-type">
<h2>The default token type<a class="headerlink" href="#the-default-token-type" title="Permalink to this headline">¶</a></h2>
<p>A default token type is used internally when no token type is specified for a
given user. It is defined as follows:</p>
<div class="highlight-python"><div class="highlight"><pre>[otp]
DEFAULT = {
strip_realm = false
}
</pre></div>
</div>
<p>The administrator may override the internal <tt class="docutils literal"><span class="pre">DEFAULT</span></tt> token type
simply by defining a configuration with the same name.</p>
</div>
<div class="section" id="token-instance-configuration">
<h2>Token instance configuration<a class="headerlink" href="#token-instance-configuration" title="Permalink to this headline">¶</a></h2>
<p>To enable OTP for a client principal, the administrator must define
the <strong>otp</strong> string attribute for that principal. (See
<a class="reference internal" href="admin_commands/kadmin_local.html#set-string"><em>set_string</em></a>.) The <strong>otp</strong> user string is a JSON string of the
format:</p>
<div class="highlight-xml"><div class="highlight"><pre>[{
"type": <span class="nt"><string></span>,
"username": <span class="nt"><string></span>,
"indicators": [<span class="nt"><string></span>, ...]
}, ...]
</pre></div>
</div>
<p>This is an array of token objects. Both fields of token objects are
optional. The <strong>type</strong> field names the token type of this token; if
not specified, it defaults to <tt class="docutils literal"><span class="pre">DEFAULT</span></tt>. The <strong>username</strong> field
specifies the value to be sent in the User-Name RADIUS attribute. If
not specified, the principal name is sent, with or without realm as
defined in the token type. The <strong>indicators</strong> field specifies a list
of authentication indicators to annotate tickets with, overriding any
indicators specified in the token type.</p>
<p>For ease of configuration, an empty array (<tt class="docutils literal"><span class="pre">[]</span></tt>) is treated as
equivalent to one DEFAULT token (<tt class="docutils literal"><span class="pre">[{}]</span></tt>).</p>
</div>
<div class="section" id="other-considerations">
<h2>Other considerations<a class="headerlink" href="#other-considerations" title="Permalink to this headline">¶</a></h2>
<ol class="arabic simple">
<li>FAST is required for OTP to work.</li>
</ol>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="sidebar">
<h2>On this page</h2>
<ul>
<li><a class="reference internal" href="#">OTP Preauthentication</a><ul>
<li><a class="reference internal" href="#defining-token-types">Defining token types</a></li>
<li><a class="reference internal" href="#the-default-token-type">The default token type</a></li>
<li><a class="reference internal" href="#token-instance-configuration">Token instance configuration</a></li>
<li><a class="reference internal" href="#other-considerations">Other considerations</a></li>
</ul>
</li>
</ul>
<br/>
<h2>Table of contents</h2>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="">OTP Preauthentication</a><ul class="simple">
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
</ul>
<br/>
<h4><a href="../index.html">Full Table of Contents</a></h4>
<h4>Search</h4>
<form class="search" action="../search.html" method="get">
<input type="text" name="q" size="18" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<div class="clearer"></div>
</div>
</div>
<div class="footer-wrapper">
<div class="footer" >
<div class="right" ><i>Release: 1.15.1</i><br />
© <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
</div>
<div class="left">
<a href="../index.html" title="Full Table of Contents"
>Contents</a> |
<a href="pkinit.html" title="PKINIT configuration"
>previous</a> |
<a href="princ_dns.html" title="Principal names and DNS"
>next</a> |
<a href="../genindex.html" title="General Index"
>index</a> |
<a href="../search.html" title="Enter search criteria"
>Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__OTP Preauthentication">feedback</a>
</div>
</div>
</div>
</body>
</html>
|
