![]() ![]() When we started (and we still use today for some factors). SAM2 - this is the old protocol that we originally used waay back Is important because which specific 2FA protocol you use depends on The first question you need to answer is: what are your clients? This There are some architectural issues that makes this all complicated You've heard the expression, "With a bigĮnough engine, you can make a barn door fly"? That applies here. You can do it, but depending on exactly WHAT you want to do may With some kind of 2FA with Kerberos for a. So, I think I speak with some authority on this subject I've been involved >This is all pie-in-the-sky stuff, but practical answers "just an FAQ" are >I don't suppose the kerberos db replication mechanism has anything that >centralize things, which breaks the purpose of having geo-diverse KDC's. >their own, there's no communication of double-use of a token, unless I >The final problem, of course, is that if I make all my KDC's 2fa-aware on >ads now being shown for startups that want to do it differently but I'm >about the varying states of SPAKE and the like), and.a whole bunch of >Googling this all gets me a bunch of (some older, some newer articles This is all pie-in-the-sky stuff, but practical answers "just an FAQ" are I don't suppose the kerberos db replication mechanism has anything that ![]() Their own, there's no communication of double-use of a token, unless IĬentralize things, which breaks the purpose of having geo-diverse KDC's. The final problem, of course, is that if I make all my KDC's 2fa-aware on Googling this all gets me a bunch of (some older, some newer articlesĪbout the varying states of SPAKE and the like), and.a whole bunch ofĪds now being shown for startups that want to do it differently but I'm Support to have a user have *multiple* available authenticators, such that google authenticator or whatnot? If so, is there Is there any reasonable support for off-the-shelf TOTP or HOTPĪuthenticators, i.e. Is there a way to make the acquisition of a TGT (for GSSAPIĪuthentication) vs Password Authentication require 2fa?Ĭomplication number 2 is something like "SecurID is *expensive* for a Services (ssh logins) but not have to pump a 2fa code into, say, our mailĪpplications. We'd like to be able to leverage 2fa for some services (admins) and some We use Kerberos but NOT LDAP at the day job. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |