(Not subscribed, please Cc me on replies) Hi all,
I'm trying to set up the MIT KDC with support for OTP tokens (yubikeys in my case, as a single factor, at least initially). I have the entire bit from the RADIUS server and backwards working correctly, but I can't get the KDC to see replies from the RADIUS server, it complains about «connection timed out». Platform in Debian jessie with the packaged 1.12.1, but I see the same problem with a 1.13 tar.gz build. The problem also shows itself when running the t_otp test (where I had to change the type of User-Password to octets instead of string, but I doubt that's the problem): : tfheen@xoog ..5-1.12.1+dfsg/build/tests > PYTHONPATH=../../src/util VALGRIND="" python ../../src/tests/t_otp.py -v *** [1] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/dbutil/kdb5_util create -W -s -P master Loading random data Initializing database '/etc/krb5kdc/principal' for realm 'KRBTEST.COM', master key name 'K/[email protected]' *** [1] Completed with return code 0 *** [2] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/cli/kadmin.local -q addprinc -pw user4812 [email protected] WARNING: no policy specified for [email protected]; defaulting to no policy Authenticating as principal tfheen/[email protected] with password. Principal "[email protected]" created. *** [2] Completed with return code 0 *** [3] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/cli/kadmin.local -q addprinc -pw admin4812 user/[email protected] WARNING: no policy specified for user/[email protected]; defaulting to no policy Authenticating as principal tfheen/[email protected] with password. Principal "user/[email protected]" created. *** [3] Completed with return code 0 *** [4] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/cli/kadmin.local -q addprinc -randkey host/[email protected] WARNING: no policy specified for host/[email protected]; defaulting to no policy Authenticating as principal tfheen/[email protected] with password. Principal "host/[email protected]" created. *** [4] Completed with return code 0 *** [5] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/cli/kadmin.local -q ktadd -k /tmp/krb5-1.12.1+dfsg/build/tests/testdir/keytab -norandkey host/[email protected] Authenticating as principal tfheen/[email protected] with password. Entry for principal host/[email protected] with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/krb5-1.12.1+dfsg/build/tests/testdir/keytab. Entry for principal host/[email protected] with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/krb5-1.12.1+dfsg/build/tests/testdir/keytab. Entry for principal host/[email protected] with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/krb5-1.12.1+dfsg/build/tests/testdir/keytab. Entry for principal host/[email protected] with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:/tmp/krb5-1.12.1+dfsg/build/tests/testdir/keytab. *** [5] Completed with return code 0 *** [6] Starting: /tmp/krb5-1.12.1+dfsg/build/kdc/krb5kdc -n krb5kdc: starting... *** [6] Started with pid 4818 *** [7] Executing: /tmp/krb5-1.12.1+dfsg/build/clients/kinit/kinit [email protected] Password for [email protected]: *** [7] Completed with return code 0 *** [8] Executing: /tmp/krb5-1.12.1+dfsg/build/clients/klist/klist /tmp/krb5-1.12.1+dfsg/build/tests/testdir/ccache Ticket cache: FILE:/tmp/krb5-1.12.1+dfsg/build/tests/testdir/ccache Default principal: [email protected] Valid starting Expires Service principal 12/22/14 11:45:10 12/23/14 11:45:10 krbtgt/[email protected] *** [8] Completed with return code 0 *** [9] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/cli/kadmin.local -q modprinc +requires_preauth [email protected] Authenticating as principal user/[email protected] with password. Principal "[email protected]" modified. *** [9] Completed with return code 0 *** [10] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/cli/kadmin.local -q setstr [email protected] otp "[{""type"": ""udp"", ""username"": ""custom""}]" Authenticating as principal user/[email protected] with password. Attribute set for principal "[email protected]". *** [10] Completed with return code 0 *** [11] Executing: /tmp/krb5-1.12.1+dfsg/build/clients/kinit/kinit -T /tmp/krb5-1.12.1+dfsg/build/tests/testdir/ccache [email protected] Enter OTP Token Value: kinit: Preauthentication failed while getting initial credentials *** [11] Completed with return code 1 *** [12] Executing: /tmp/krb5-1.12.1+dfsg/build/kadmin/cli/kadmin.local -q setstr [email protected] otp "[{""type"": ""udp""}]" Authenticating as principal user/[email protected] with password. Attribute set for principal "[email protected]". *** [12] Completed with return code 0 *** [13] Executing: /tmp/krb5-1.12.1+dfsg/build/clients/kinit/kinit -T /tmp/krb5-1.12.1+dfsg/build/tests/testdir/ccache [email protected] Enter OTP Token Value: kinit: Preauthentication failed while getting initial credentials *** [13] Completed with return code 1 *** Failure: /tmp/krb5-1.12.1+dfsg/build/clients/kinit/kinit failed with code 1. Use --debug=NUM to run a command under a debugger. Use --stop-after=NUM to stop after a daemon is started in order to attach to it with a debugger. Use --help to see other options. : tfheen@xoog ..5-1.12.1+dfsg/build/tests > cat testdir/kdc.log otp: Loaded Dec 22 11:45:10 xoog krb5kdc[4818](info): setting up network... Dec 22 11:45:10 xoog krb5kdc[4818](info): listening on fd 12: udp 0.0.0.0.61000 (pktinfo) krb5kdc: setsockopt(13,IPV6_V6ONLY,1) worked krb5kdc: Invalid argument - Cannot request packet info for udp socket address :: port 61000 Dec 22 11:45:10 xoog krb5kdc[4818](info): skipping unrecognized local address family 17 Dec 22 11:45:10 xoog krb5kdc[4818](info): skipping unrecognized local address family 17 krb5kdc: setsockopt(13,IPV6_V6ONLY,1) worked Dec 22 11:45:10 xoog krb5kdc[4818](info): listening on fd 13: udp 2001:840:4007:8:76d0:2bff:fe95:471b.61000 krb5kdc: setsockopt(14,IPV6_V6ONLY,1) worked Dec 22 11:45:10 xoog krb5kdc[4818](info): listening on fd 14: udp 2001:840:4007:8::123.61000 krb5kdc: setsockopt(15,IPV6_V6ONLY,1) worked Dec 22 11:45:10 xoog krb5kdc[4818](info): listening on fd 15: udp fe80::76d0:2bff:fe95:471b%eth0.61000 krb5kdc: setsockopt(16,IPV6_V6ONLY,1) worked Dec 22 11:45:10 xoog krb5kdc[4818](info): listening on fd 17: tcp 0.0.0.0.61000 Dec 22 11:45:10 xoog krb5kdc[4818](info): listening on fd 16: tcp ::.61000 Dec 22 11:45:10 xoog krb5kdc[4818](info): set up 6 sockets Dec 22 11:45:10 xoog krb5kdc[4818](info): commencing operation Dec 22 11:45:10 xoog krb5kdc[4818](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 127.0.0.1: ISSUE: authtime 1419245110, etypes {rep=18 tkt=18 ses=18}, [email protected] for krbtgt/[email protected] Dec 22 11:45:10 xoog krb5kdc[4818](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 127.0.0.1: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required Dec 22 11:45:11 xoog krb5kdc[4818](info): DISPATCH: repeated (retransmitted?) request from 127.0.0.1, resending previous response Dec 22 11:45:11 xoog krb5kdc[4818](info): closing down fd 19 Dec 22 11:45:14 xoog krb5kdc[4818](info): preauth (otp) verify failure: Connection timed out Dec 22 11:45:14 xoog krb5kdc[4818](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 127.0.0.1: PREAUTH_FAILED: [email protected] for krbtgt/[email protected], Preauthentication failed Dec 22 11:45:14 xoog krb5kdc[4818](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 127.0.0.1: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required Dec 22 11:45:15 xoog krb5kdc[4818](info): DISPATCH: repeated (retransmitted?) request from 127.0.0.1, resending previous response Dec 22 11:45:15 xoog krb5kdc[4818](info): closing down fd 19 Dec 22 11:45:18 xoog krb5kdc[4818](info): preauth (otp) verify failure: Connection timed out Dec 22 11:45:18 xoog krb5kdc[4818](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 127.0.0.1: PREAUTH_FAILED: [email protected] for krbtgt/[email protected], Preauthentication failed Dec 22 11:45:18 xoog krb5kdc[4818](debug): Got signal to request exit Dec 22 11:45:18 xoog krb5kdc[4818](info): closing down fd 16 Dec 22 11:45:18 xoog krb5kdc[4818](info): closing down fd 17 Dec 22 11:45:18 xoog krb5kdc[4818](info): closing down fd 15 Dec 22 11:45:18 xoog krb5kdc[4818](info): closing down fd 14 Dec 22 11:45:18 xoog krb5kdc[4818](info): closing down fd 13 Dec 22 11:45:18 xoog krb5kdc[4818](info): closing down fd 12 Dec 22 11:45:18 xoog krb5kdc[4818](info): shutting down Ideas? -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
