>make it look like you can put the secret directly into the >configuration file. There seems to be a little bit of disconnect >between those two parts of the docs. I just wanted to point it out if >it is helpful.
It looks like (according to the source code) it has to have that as a filename. >I've tried to configure my kdc.conf with the required otp stanzas: Well, it's a preauthentication mechanism, so FIRST you have to make sure your principal is configured to require preauthentication. And there is a note at the bottom of that page that suggests you need to be using FAST which implies you need to set up a FAST credential cache. And I will be the first person to confess that I've always been a little hazy on how exactly that works! (We do use an OTP preauthentication mechanism but it predates the newer OTP mechanism you're using). I am not aware of any extant documentation that explains how you're supposed to use FAST in practice, which I always found a bit odd. I wasn't involved with Kerberos protocol development when FAST was designed but I remember a lot of messages about it, but it seems like there's a giant hole on how exactly you're supposed to use it when it comes down to the nuts and bolts. If there is some documentation about it, hey, I'd love to read it! One of my long-term plans is to migrate our weird stuff to something based on OTP which would involve FAST and I sure hope that's actually possible in practice (I am aware that without an available local keytab you'd have to do anonymous PKINIT and that wouldn't be too bad for us since we already have all of the certificate stuff deployed for PKINIT with Kerberos, but if you DIDN'T already have everything set up for PKINIT it would be about as much fun as a punch in the face from John Cena). My guess is you could use kinit -k to get a TGT based on a keytab on the host and then give THAT credential cache you create to the kinit command using the -T option. Again, that's just a guess. --Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
