[Samba] OTP authentication

the2nd at otpme.org the2nd at otpme.org
Mon Jan 26 13:50:27 MST 2015 

On 2015-01-26 20:03, Andrew Bartlett wrote:
> On Thu, 2015-01-22 at 16:20 +0100, the2nd at otpme.org wrote:
>> talking about samba 4 with kerberos and windows clients, do you know
>> what preauth type is used when using standard auth with static
>> passwords?
>> 
>> i personally would prefer a solution where no changes are needed on 
>> the
>> client side. if it would be possible to hand over the preauth data to 
>> a
>> third party tool for verification, like i described previously,there
>> where no need to transmit the otp from the client to samba/kdc. the
>> third party tool just needs to return the valid otp to the kdc. there
>> would also be no reason to implement all otp types and features in the
>> kdc. there are already working otp solutions, commercial and open
>> source.
> 
> My suggestion involves knowing a fairly small number of possible
> passwords, and then modifying the Heimdal KDC to operate in a loop,
> walking over the list of keys generated from those passwords, provided
> to Heimdal from the OTP provider (this is totally the reverse to the 
> way
> OTP setups are traditionally done).  It would be CPU intensive, but
> might allow interop in limited circumstances that otherwise would
> require client changes.

in don't know how CPU intensive it is to generate the needed keys, but 
generating the MOTP OTPs is not very cpu intensive. also the amount of 
OTPs thats needed to be generated depends on the configured time window 
where the OTP should be valid. for motp the timestep for an otp is 10 
seconds. so you have to generate only 6 OTPs per minute of the time 
window.

> 
>> yesterday i asked on the freeradius mailing list if it would be 
>> possible
>> to use a radius request/response for otp verification (via preauth 
>> data)
>> and returning of the valid otp.
>> 
>> http://freeradius.1045715.n5.nabble.com/encrypted-response-parameter-td5731415.html
>> 
>> it looks like this would be possible as there is an response attribute
>> "Tunnel-Password" which is encrypted.
>> 
>> however, implementing most of this is out of my scope as i dont have 
>> the
>> (coding) skills to do it. ;)
>> 
>> so it depens on, if there is someone else who is willing to implement
>> it.
>> but i think many admins would be happy if it would be possible to use
>> OTPs without the need for any client changes.
>> and i also think that at least other open source projects like
>> privacyidea would be happy to add support for this.
>> 
>> my perfect setup would look like this:
>> - setup freeradius with an tool like otpme that knows how to verify
>> preauth data
> 
> The issue there is that you just move the KDC into otpme.  Verifying 
> the
> pre-auth data and returning an encrypted response is pretty much the
> whole of the AS-REQ element of the KDC, or at least the hard parts.
> 

ok. but i guess this is the only way to make it possible to hand over 
OTP verification to an third party app, and only this way real OTPme 
integration would be possible.
also it would keep away the load for key generation from the KDC i 
think....


>> - configure samba/kdc to send preauth data via a radius request to 
>> this
>> server and get back the clear text otp over an secure channel
>> 
>> using radius would also be nice because i guess it could also be used 
>> in
>> samba3 environments where no kerberos is envolved. i'm not sure about
>> this but i guess it should be possible that samba3 sends an 
>> mschap/ntlm
>> request via radius when a user logs in?
> 
> A radius module was never written for Samba's pluggable auth module, 
> but
> there is no reason it couldn't technically be done on top of mschap.
> Pushing NTLMv2 in might require the server to be 'flexible' with what 
> it
> accepts in terms of packet length, but if we control the stack, we can
> be flexible.

with server you mean the OTP server? OTPme currently supports 
challenge/response authentication with OTPs using the functions from 
this script:

https://attachments.samba.org/attachment.cgi?id=5015

this works perfectly with challenge/response request from wlan clients i 
get from the freeradius mschap module.

> 
> This would limit you to situations where you can use NTLM (classic
> domains etc), but remains interesting.
> 

i personally would be happy with radius support only in samba3 because 
my employer has not migrated to samba4 yet. but i'm also interested in 
samba4 integration with OTPme.


>> btw. Alan DeKok from freeradius is willing to help with the radius 
>> part
>> if there is someone who is interested in implementing this.
>> 
>> i personally woud be really happy about such a feature as samba is
>> currently the only oss software i was not able to get going with 
>> otpme.
>> 
>> regards
>> the2nd
>>

More information about the samba-technical mailing list