I see this question came up 6 years ago on this list:

https://kerberos.mit.narkive.com/uFhWlsZR/information-request-duo-integration-for-kinit

On that thread there was some talk about MIT's implementation, possible eventual open sourcing of said implementation and/or creating a
newer/cleaner implementation using SPAKE-2.

Did anything ever come if this? We'd certainly love to be able to
selectively integrate second factors such as Duo with our MIT krb5 KDCs.

Ben

--
Ben Poliakoff
Associate Director
Technology Infrastructure Services
Reed College

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: kerberos@mit.edu

On 4/26/21 2:36 PM, Ben Poliakoff wrote:

On that thread there was some talk about MIT's implementation, possible eventual open sourcing of said implementation and/or creating a
newer/cleaner implementation using SPAKE-2.

Did anything ever come if this? We'd certainly love to be able to
selectively integrate second factors such as Duo with our MIT krb5 KDCs.

Unfortunately no. The MIT implementation isn't in a releasable state,
and we haven't made any significant progress on implementing second
factors in SPAKE.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: kerberos@mit.edu

On Mon, Apr 26, 2021, 2:55 PM Greg Hudson <ghudson@mit.edu> wrote:

On 4/26/21 2:36 PM, Ben Poliakoff wrote:

On that thread there was some talk about MIT's implementation, possible eventual open sourcing of said implementation and/or creating a newer/cleaner implementation using SPAKE-2.

Did anything ever come if this? We'd certainly love to be able to selectively integrate second factors such as Duo with our MIT krb5 KDCs.

Unfortunately no. The MIT implementation isn't in a releasable state,
and we haven't made any significant progress on implementing second
factors in SPAKE.

Bummer, but thanks for the info.

Ben



--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Copy: kerberos@mit.edu

Rutgers uses DUO. I did a test integration using the IPA Radius support, which I believe is also in MIT Kerberos. Point it at a Radius server that supports DUO.

On Apr 26, 2021, at 2:36 PM, Ben Poliakoff <benp@reed.edu> wrote:

I see this question came up 6 years ago on this list:

https://kerberos.mit.narkive.com/uFhWlsZR/information-request-duo-integration-for-kinit

On that thread there was some talk about MIT's implementation, possible eventual open sourcing of said implementation and/or creating a
newer/cleaner implementation using SPAKE-2.

Did anything ever come if this? We'd certainly love to be able to
selectively integrate second factors such as Duo with our MIT krb5 KDCs.

Ben

--
Ben Poliakoff
Associate Director
Technology Infrastructure Services
Reed College
________________________________________________
Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Copy: kerberos@mit.edu

Good idea, I'll look into that. Thanks for the suggestion!

On Thu, Apr 29, 2021, 6:37 AM <hedrick@rutgers.edu> wrote:

Rutgers uses DUO. I did a test integration using the IPA Radius support, which I believe is also in MIT Kerberos. Point it at a Radius server that supports DUO.

On Apr 26, 2021, at 2:36 PM, Ben Poliakoff <benp@reed.edu> wrote:

I see this question came up 6 years ago on this list:

https://kerberos.mit.narkive.com/uFhWlsZR/information-request-duo-integration-for-kinit

On that thread there was some talk about MIT's implementation, possible eventual open sourcing of said implementation and/or creating a newer/cleaner implementation using SPAKE-2.

Did anything ever come if this? We'd certainly love to be able to selectively integrate second factors such as Duo with our MIT krb5 KDCs.

Ben

--
Ben Poliakoff
Associate Director
Technology Infrastructure Services
Reed College
________________________________________________
Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)