Hi list.
I have 2FA enabled for many users in my organization, however some of
these users work on their own private devices and manually run kinit to
obtain the TGT.
I was wondering why does kinit ask to:
"Enter OTP Token Value: "
This message is slightly confusing. In fact, the user is supposed to
enter password+OTP here.
I've attempted reading RFC 6560. If I understand correctly, OTP is not
really supposed to be used as a 2nd factor with Kerberos?
Another minor trouble with BYOD setups is that the OTP user has to
manually obtain anonymous ticket for FAST, before being able to run kinit.
Interestingly, FAST is not required for Smart Card PKINIT to work.
None of this is really a big problem, it's just troublesome to explain
in one sentence "how does Kerberos authentication work in our organization".
Of course with Linux clients joined to the IPA domain, all of these
details are abstracted by sssd and therefore a non-issue from the user's
perspective.
Best regards,
Radoslaw
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
