Hide Forgot
Description of problem: OTP seems to be working on RHEL-7 but it's configuration differs from the upstream documentation found here: http://web.mit.edu/~kerberos/krb5-devel/doc/admin/otp.html The document above says that "secret = <filename>" but the current release accepts only "secret = <shared_secret>". This difference will probably cause many confusions in the feature when the OTP feature will be integrated with other products like IPA, because after kerberos rebase the OTP configuration would change. To avoid fixes over various product this issue should be fixed asap. Version-Release number of selected component (if applicable): krb5-1.11.3-36.el7 How reproducible: always Steps to Reproduce: # cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] EXAMPLE.COM = { kdc = rhel7.pkis.net admin_server = rhel7.pkis.net } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [plugins] kdcpreauth = { module = otp:/usr/lib64/krb5/plugins/preauth/otp.so } [otp] DEFAULT = { server = localhost:1812 secret = /tmp/secret #secret = testing123 timeout = 5 retries = 3 strip_realm = true } # kdb5_util -s create ... snip ... # kadmin.local kadmin.local: kadmin.local: getprinc alice Principal: alice Expiration date: [never] Last password change: Mon Nov 25 12:17:56 CET 2013 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 0 days 00:00:00 Last modified: Mon Nov 25 15:26:02 CET 2013 (bob/admin) Last successful authentication: Thu Nov 28 13:06:54 CET 2013 Last failed authentication: Thu Nov 28 13:42:50 CET 2013 Failed password attempts: 7 Number of keys: 8 Key: vno 1, aes256-cts-hmac-sha1-96, no salt Key: vno 1, aes128-cts-hmac-sha1-96, no salt Key: vno 1, des3-cbc-sha1, no salt Key: vno 1, arcfour-hmac, no salt Key: vno 1, camellia256-cts-cmac, no salt Key: vno 1, camellia128-cts-cmac, no salt Key: vno 1, des-hmac-sha1, no salt Key: vno 1, des-cbc-md5, no salt MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none] kadmin.local: kadmin.local: getstrs alice otp: [] kadmin.local: # # systemctl start krb5kdc # # # echo '"alice" Cleartext-Password := "alice"' >> /etc/raddb/users # grep "^\s*secret" /etc/raddb/clients.conf secret = testing123 # # echo testing123 >/tmp/secret # # radiusd -X &>radius.log & [1] 1733 ## radtest alice alice localhost 0 testing123 Sending Access-Request of id 24 from 0.0.0.0 port 44288 to 127.0.0.1 port 1812 User-Name = 'alice' User-Password = 'alice' NAS-IP-Address = 192.168.100.70 NAS-Port = 0 Message-Authenticator = 0x00 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=24, length=20 # # # kinit -c /tmp/aaa alice Password for alice: # # klist klist: No credentials cache found while retrieving principal name # # kinit -T /tmp/aaa alice Enter OTP Token Value: kinit: Preauthentication failed while getting initial credentials # # vim /etc/krb5.conf # grep secret /etc/krb5.conf #secret = /tmp/secret secret = testing123 # systemctl restart krb5kdc # # kinit -T /tmp/aaa alice Enter OTP Token Value: # klist Ticket cache: KEYRING:persistent:0:0 Default principal: alice Valid starting Expires Service principal 12/10/2013 16:58:28 12/11/2013 16:58:26 krbtgt/EXAMPLE.COM renew until 12/10/2013 16:58:28
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.