You can get an MIT Kerberos implementation from Macports. I use that myself. However I
don’t use it for login, so I haven’t tried the pam support on the Mac. The Macports
implementation supports both 2FA and the https proxy. We restrict access to our kerberos
servers, so people at home have to use the proxy.
On Jun 20, 2018, at 6:00 AM, Oleksandr Yermolenko via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Hi,
Has someone managed to setup OTP 2FA between FreeIPA 4.5.X and Mac OS (High Sierra)?
When authenticating with a non 2FA user, works fine.
THE FIRST WAY: native heimdal client:
aae$ kinit --version
kinit (Heimdal 1.5.1apple1)
Copyright 1995-2011 Kungliga Tekniska Högskolan
Send bug-reports to heimdal-bugs(a)h5l.org
aae$
aae$ kdestroy
aae$ kinit --anonymous
aae$ klist Credentials cache: KCM:74E6A71B-BCB9-43E1-8832-AFC7B17831E7
Principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Issued Expires Principal
Jun 20 12:41:07 2018 Jun 21 12:41:06 2018 krbtgt/IDM.CRP(a)IDM.CRP
aae$ kinit --fast-armor-cache=KCM:74E6A71B-BCB9-43E1-8832-AFC7B17831E7 aae(a)IDM.CRP
kinit: krb5_init_creds_set_fast_ccache: Matching credential
(krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS) not found
aae$
Found [1] that FAST is supported but is it enough for OTP I have no idea. Tried tcp
protocol [2] without success. I can't find information how to activate anon FAST on
Mac OS if this protocol is supported. What about OTP? I'm not sure that old heimdal
kerberos client is compatible with pkinit/fast. I know so many questions to apple
developers and support
---------------------------------------------
THE SECOND WAY: client MIT version krb5-1.16.1
port install kerberos5
...
---> Installing kerberos5 @1.16.1_0
...
slightly changed /etc/krb5.conf
aae$ kdestroy
kdestroy: No credentials cache found while destroying cache
aae$ kinit -n
aae$ klist -A
Ticket cache: KCM:501
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Valid starting Expires Service principal
06/20/2018 12:46:22 06/21/2018 12:46:22 krbtgt/IDM.CRP(a)IDM.CRP
aae$ kinit -T KCM:501 aae(a)IDM.CRP
Enter OTP Token Value: aae$
aae$ klist -A
Ticket cache: KCM:501:2
Default principal: aae(a)IDM.CRP
Valid starting Expires Service principal
06/20/2018 12:47:13 06/21/2018 12:46:59 krbtgt/IDM.CRP(a)IDM.CRP
Ticket cache: KCM:501
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Valid starting Expires Service principal
06/20/2018 12:46:22 06/21/2018 12:46:22 krbtgt/IDM.CRP(a)IDM.CRP
aae$
much much better, but it's not enough because I can't use TGT. As you can see I
tried to use KCM cache believing that I use native heimdal KCM server on my Mac, but
without success: I do not see any valid tickets here
/System/Library/CoreServices/<Ticket Viewer> and of course don't have kerberos
related access to corporate resources. ----------------------------------------------
Any help is appreciated. Possible directions/ideas how to implement 2FA on Mac OS without
hacks?
I have successfully setup linux using pam-krb5 and anon_fast option.
References:
[1]
https://www.redhat.com/archives/freeipa-users/2016-December/msg00214.html
[2]
https://www.redhat.com/archives/freeipa-users/2016-December/msg00219.html
--
Oleksandr Yermolenko
systems engineer
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...