[Freeipa-users] Kinit with 2-Factor not working

[Sumit Bose]

On Wed, Jun 22, 2016 at 11:54:10AM -0400, Geordie Grindle wrote:
> 
> Hello,
> 
> On our current IPA realm where we have not used 2-factor, we’ve been able to kinit to our FreeIPA realm from our laptops.  All a Mac user needed to do, for example was to configure a ‘krb5.conf’ file and then ‘kinit user1 at OUR.IPA.REALM.COM <mailto:user1 at our.ipa.realm.com>'. This would allow us to work on our infrastructure without having to re-authenticate for the lifetime of our ticket-granting-ticket, usually the length of a work day.
> 
> We are building a new realm using 'ipa-server-4.2.0-15’ and will be requiring 2-factor for authentication. So far it works well, meaning we can ssh to a jump host enrolled in our realm and from there move to other hosts in the realm without having to re-authenticate.
> 
> However, we can no longer ‘kinit’. I’ve dug around in the webs and have concluded that either this is a known issue that is not yet fixed, or perhaps someone has fixed it but not yet shared how they got this to work.

This is expected behaviour. See
http://www.freeipa.org/page/V4/OTP for details especially
http://www.freeipa.org/page/V4/OTP#kinit_Method.

Unfortunately in general you do not have a second ccache which can be
used to get the needed armor ticket for FAST. 

There is ongoing work on SPAKE
http://k5wiki.kerberos.org/wiki/Projects/SPAKE_preauth_prereqs and
also anonymous pkinit on the IPA side to lift the requirement but
currently FAST and a second ccache are needed for OTP.

HTH

bye,
Sumit

> 
> How is this impacting anyone else? Does anyone have any helpful information they can share?
> 
> thanks,
> Geordie Grindle
> 
> 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project