We are using FreeRadius, Kerberos and Google Authenticator to implement two-factor authentication. The two factor auth works fine, both from radtest and from a Watchguard firewall. To log in, a user enters their Kerberos password and concatenates the PIN provided by Google Authenticator. Radius uses pam to talk to GAuth and then to Kerberos. The pam stack is

    auth requisite pam_google_authenticator.so forward_pass
    auth required pam_krb5.so use_first_pass

The forward_pass directive tells pam_google_authenticator.so to strip off the trailing six characters, validate them, then pass the remaining string on to the next step as a password.

The problem arises when a Kerberos policy ages out a password, requiring a reset (or +needchange is set on the principal). When that occurs, the user is not notified. They enter their password and pin as normal and are allowed in. Something in the background then updates the Kerberos password to be the old password plus the appended pin (e.g. mypasswrd123456). I have verified that this new password does in fact exist in the Kerberos database and can be used for further authentications, but of course you need to realize that the change occurred and save the combined string. Not likely to happen in production.

I haven't been able to locate what is doing the change. The only log message is an acknowledgement that the password was updated. It seems like Kerberos must be alerting Radius that a change is required, Radius see's that it has a newish password and passes it back.

I've tried adding

   password required deny.so 

to /etc/pam.d/radiusd, but that didn't help.

OS is Ubuntu, and the packages were installed with apt-get.

Any thoughts appreciated.

  • 11
  • 1

0 Answers0