Kerberos itself is a neat protocol when you disregard some security problems and its misuse of the HTTP protocol when authenticating through it. At work, we wanted to deploy a Two-Factor-Authentication using TOTP. We already have a nice TOTP-API in place that can store and validate Tokens using our central IDM.

I thought getting Kerberos to accept the OTPs and validate them through the API should not be hard, as Kerberos already has a mechanism for OTP. It turns out that the implementation in Kerberos can only be used for 2FA with TOTP with pam magic (see OTP with Radius and Kerberos). By default Kerberos can only use the OTP as another form of authorization, so you could either use your OTP or your password. This is not what we wanted, as it also requires a PKINIT setup eg. x509 user certificates.

Thankfully there is a new version of the krb5-kdc that implements SPAKE. In short, SPAKE uses your password to establish a Tunnel in which it puts your TOTP. I will try to set this up and report the results. Hopefully, I can implement a RADIUS stub for handling the verification of the OTP-Token, as kerberos can only tunnel OTP-Tokens to RADIUS.