Thanks. We’ll try to OTP. If there’s no PKINIT, I guess that means the armor will have to come from the machine credentials. That should be workable.
A couple of us do kinit from home on the Mac. I don’t have a long list of people asking for it for Windows, but if a couple of people do it for Mac probably a few would do it for Windows as well. I’m paranoid enough about the server to want use from outside the department to go through the proxy. On Jan 16, 2019, at 12:01:19 PM, Greg Hudson <ghud...@mit.edu> wrote: On 1/16/19 11:23 AM, Charles Hedrick wrote: We’re starting to use Windows Kerberos, with a 3rd party login screen that calls Kerberos. Some of our staff use FreeOTP 2FA. As far as I can tell, the most recent KfW doesn’t support 2FA or the https: proxy. KfW 4.1 is based on krb5 1.13, which includes the OTP client code, so I think that's only half correct. Are there plans for a new release that would do so? I was planning to do a Windows release based on the 1.17 branch (for SPAKE support, if nothing else), but I don't have a specific time-table. HTTPS proxy support is not currently part of the Windows build, because of the OpenSSL dependency. I can make an attempt to bring that in when I make time to do work on the Windows port. (Bringing in an OpenSSL dependency would also make it possible to enable PKINIT support, though that might also require some work on the PKINIT code.) It is now possible to build the Windows installer from source using the community (no-cost) version of the MS compiler. See src/windows/README in the source tree for details. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos