Hi,
Has someone managed to setup OTP 2FA between FreeIPA 4.5.X and Mac
OS (High Sierra)?
When authenticating with a non 2FA user, works fine.
THE FIRST WAY: native heimdal client:
aae$ kinit --version
kinit (Heimdal 1.5.1apple1)
Copyright 1995-2011 Kungliga Tekniska Högskolan
Send bug-reports to heimdal-bugs(a)h5l.org
aae$
aae$ kdestroy
aae$ kinit --anonymous
aae$ klist
Credentials cache: KCM:74E6A71B-BCB9-43E1-8832-AFC7B17831E7
Principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Issued Expires Principal
Jun 20 12:41:07 2018 Jun 21 12:41:06 2018 krbtgt/IDM.CRP(a)IDM.CRP
aae$ kinit
--fast-armor-cache=KCM:74E6A71B-BCB9-43E1-8832-AFC7B17831E7
aae(a)IDM.CRP
kinit: krb5_init_creds_set_fast_ccache: Matching credential
(krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS) not found
aae$
Found [1] that FAST is supported but is it enough for OTP I have
no idea. Tried tcp protocol [2] without success. I can't find
information how to activate anon FAST on Mac OS if this protocol
is supported. What about OTP? I'm not sure that old heimdal
kerberos client is compatible with pkinit/fast. I know so many
questions to apple developers and support
---------------------------------------------
THE SECOND WAY: client MIT version krb5-1.16.1
port install kerberos5
...
---> Installing kerberos5 @1.16.1_0
...
slightly changed /etc/krb5.conf
aae$ kdestroy
kdestroy: No credentials cache found while destroying cache
aae$ kinit -n
aae$ klist -A
Ticket cache: KCM:501
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Valid starting Expires Service principal
06/20/2018 12:46:22 06/21/2018 12:46:22 krbtgt/IDM.CRP(a)IDM.CRP
aae$ kinit -T KCM:501 aae(a)IDM.CRP
Enter OTP Token Value:
aae$
aae$ klist -A
Ticket cache: KCM:501:2
Default principal: aae(a)IDM.CRP
Valid starting Expires Service principal
06/20/2018 12:47:13 06/21/2018 12:46:59 krbtgt/IDM.CRP(a)IDM.CRP
Ticket cache: KCM:501
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Valid starting Expires Service principal
06/20/2018 12:46:22 06/21/2018 12:46:22 krbtgt/IDM.CRP(a)IDM.CRP
aae$
much much better, but it's not enough because I can't use TGT. As
you can see I tried to use KCM cache believing that I use native
heimdal KCM server on my Mac, but without success: I do not see
any valid tickets here /System/Library/CoreServices/<Ticket
Viewer> and of course don't have kerberos related access to
corporate resources.
----------------------------------------------
Any help is appreciated. Possible directions/ideas how to
implement 2FA on Mac OS without hacks?
I have successfully setup linux using pam-krb5 and anon_fast
option.
References:
[1]
https://www.redhat.com/archives/freeipa-users/2016-December/msg00214.html
[2]
https://www.redhat.com/archives/freeipa-users/2016-December/msg00219.html
--
Oleksandr Yermolenko
systems engineer