-
Notifications
You must be signed in to change notification settings - Fork 364
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This plugin implements the proposal for providing OTP support by proxying requests to RADIUS. Details can be found inside the provided documentation as well as on the project page. http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS ticket: 7678
- Loading branch information
1 parent
8b8f031
commit 4b5dd8b
Showing
14 changed files
with
1,528 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -14,6 +14,7 @@ For administrators | |
host_config.rst | ||
backup_host.rst | ||
pkinit.rst | ||
otp.rst | ||
princ_dns.rst | ||
enctypes.rst | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
OTP Preauthentication | ||
===================== | ||
|
||
OTP is a preauthentication mechanism for Kerberos 5 which uses One | ||
Time Passwords (OTP) to authenticate the client to the KDC. The OTP | ||
is passed to the KDC over an encrypted FAST channel in clear-text. | ||
The KDC uses the password along with per-user configuration to proxy | ||
the request to a third-party RADIUS system. This enables | ||
out-of-the-box compatibility with a large number of already widely | ||
deployed proprietary systems. | ||
|
||
Additionally, our implementation of the OTP system allows for the | ||
passing of RADIUS requests over a UNIX domain stream socket. This | ||
permits the use of a local companion daemon which can handle the | ||
details of authentication. | ||
|
||
|
||
Defining token types | ||
-------------------- | ||
|
||
Token types are defined in either krb5.conf or kdc.conf according to | ||
the following format:: | ||
|
||
[otp] | ||
<name> = { | ||
server = <host:port or filename> (default: $KDCDIR/<name>.socket) | ||
secret = <filename> | ||
timeout = <integer> (default: 5 [seconds]) | ||
retries = <integer> (default: 3) | ||
strip_realm = <boolean> (default: true) | ||
} | ||
|
||
If the server field begins with '/', it will be interpreted as a UNIX | ||
socket. Otherwise, it is assumed to be in the format host:port. When | ||
a UNIX domain socket is specified, the secret field is optional and an | ||
empty secret is used by default. | ||
|
||
When forwarding the request over RADIUS, by default the principal is | ||
used in the User-Name attribute of the RADIUS packet. The strip_realm | ||
parameter controls whether the principal is forwarded with or without | ||
the realm portion. | ||
|
||
|
||
The default token type | ||
---------------------- | ||
|
||
A default token type is used internally when no token type is specified for a | ||
given user. It is defined as follows:: | ||
|
||
[otp] | ||
DEFAULT = { | ||
strip_realm = false | ||
} | ||
|
||
The administrator may override the internal ``DEFAULT`` token type | ||
simply by defining a configuration with the same name. | ||
|
||
|
||
Token instance configuration | ||
---------------------------- | ||
|
||
To enable OTP for a client principal, the administrator must define | ||
the **otp** string attribute for that principal. The **otp** user | ||
string is a JSON string of the format:: | ||
|
||
[{ | ||
"type": <string>, | ||
"username": <string> | ||
}, ...] | ||
|
||
This is an array of token objects. Both fields of token objects are | ||
optional. The **type** field names the token type of this token; if | ||
not specified, it defaults to ``DEFAULT``. The **username** field | ||
specifies the value to be sent in the User-Name RADIUS attribute. If | ||
not specified, the principal name is sent, with or without realm as | ||
defined in the token type. | ||
|
||
For ease of configuration, an empty array (``[]``) is treated as | ||
equivalent to one DEFAULT token (``[{}]``). | ||
|
||
|
||
Other considerations | ||
-------------------- | ||
|
||
#. FAST is required for OTP to work. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
mydir=plugins$(S)preauth$(S)otp | ||
BUILDTOP=$(REL)..$(S)..$(S).. | ||
MODULE_INSTALL_DIR = $(KRB5_PA_MODULE_DIR) | ||
|
||
LIBBASE=otp | ||
LIBMAJOR=0 | ||
LIBMINOR=0 | ||
RELDIR=../plugins/preauth/otp | ||
|
||
SHLIB_EXPDEPS = $(VERTO_DEPLIBS) $(KRB5_BASE_DEPLIBS) \ | ||
$(TOPLIBD)/libkrad$(SHLIBEXT) | ||
|
||
SHLIB_EXPLIBS= -lkrad $(VERTO_LIBS) $(KRB5_BASE_LIBS) | ||
|
||
STLIBOBJS = \ | ||
otp_state.o \ | ||
main.o | ||
|
||
SRCS = \ | ||
$(srcdir)/otp_state.c \ | ||
$(srcdir)/main.c | ||
|
||
all-unix:: all-liblinks | ||
install-unix:: install-libs | ||
clean-unix:: clean-liblinks clean-libs clean-libobjs | ||
|
||
clean:: | ||
$(RM) lib$(LIBBASE)$(SO_EXT) | ||
|
||
@libnover_frag@ | ||
@libobj_frag@ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# | ||
# Generated makefile dependencies follow. | ||
# | ||
otp_state.so otp_state.po $(OUTPRE)otp_state.$(OBJEXT): \ | ||
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ | ||
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ | ||
$(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ | ||
$(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ | ||
$(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-json.h \ | ||
$(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ | ||
$(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ | ||
$(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ | ||
$(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ | ||
$(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ | ||
otp_state.c otp_state.h | ||
main.so main.po $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ | ||
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ | ||
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ | ||
$(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ | ||
$(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ | ||
$(top_srcdir)/include/k5-json.h $(top_srcdir)/include/k5-platform.h \ | ||
$(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ | ||
$(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ | ||
$(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ | ||
$(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ | ||
$(top_srcdir)/include/socket-utils.h main.c otp_state.h |
Oops, something went wrong.