The following guide demonstrates how users can connect to the Kerberos server to get a TGT using a standard static password account and an account with HOTP enabled for strong authentication. The client used is the kinit program that comes with the JDK. It is a Kerberos client.
Setting Up Kerberos Configuration
You're going to need to configure your operating system to enable Kerberos authentication for your realm. To do this please consult the following HOWTO: OS Kerberos Configuration.
Getting a TGT for Static Password Accounts
Now to connect to the server and authenticate as a regular static passwordd user try the following command using the test account for mcurie@EXAMPLE.COM:
kinit -f -A mcurie
When prompted for the password type in 'secret'. If everything is configured correctly you should get the following output from the command:
Password for mcurie@EXAMPLE.COM:secret New ticket is stored in cache file C:\Documents and Settings\akarasulu\krb5cc_akarasulu
Disregard the fact that my (akarasulu) Windows user account is storing mcurie's TGT in my cache file.
Getting a TGT for a HOTP Account
The mcurie user is a standard static password account without HOTP enabled. As you can see the password 'secret' for mcurie is static. The codehaus demo account however has strong authentication enabled. It is configured as a HOTP 2-Factor user which uses non-static One Time Passwords (OTP). Below we list the first 10 HOTP values for this account:
HOTP Values for codehaus@EXAMPLE.COM |
|---|
027537 |
558646 |
653433 |
747711 |
797170 |
321512 |
639102 |
659267 |
257741 |
465539 |
Once a value is used it cannot be used again so the order of HOTP value use is important. To authenticate and get a TGT for user codehaus issue the following kinit command:
kinit -f -A codehaus
When prompted for the password type in the first HOTP value of '027537'. If everything is configured correctly you should get the following output from the command:
Password for codehaus@EXAMPLE.COM:027537 New ticket is stored in cache file C:\Documents and Settings\akarasulu\krb5cc_akarasulu
Generating HOTP Values Yourself For Demo Accounts
You can download and install the HausKeys application for demo accounts on to your J2ME phone. Both Triplesec and HausKeys come prepackaged with a set of demo accounts for testing. You can download and install these demo accounts in three ways:
- Have the demo application running online send an SMS to your phone with the URL of the demo client to download. Just visit the following URL and fill out the form to have an SMS message sent to your phone: http://demo.safehaus.org/demo/smsAccountForm.html.
- Download the client onto your PC and upload to your phone via PC link cable. Here are the various demo account URLs:
- apache account: http://wap.safehaus.org/demo/Apache.jar
- codehaus account: http://wap.safehaus.org/demo/Codehaus.jar
- citi401k account: http://wap.safehaus.org/demo/Citi401k.jar
- officew2k account: http://wap.safehaus.org/demo/OfficeW2K.jar
- bankone account: http://wap.safehaus.org/demo/BankOne.jar
- Use your phone's WAP browser to navigate to any one of the URL's above and initiate a download directly onto your phone.
Note that all these demo accounts use '1234' as the pin to unlock the Hauskeys application and generate OTP values. Also he static password for these accounts is 'secret'. You can use these accounts to log into your own instance of the demo application which comes with Triplesec.
Don't Use Demo Accounts With Online Demo
Using demo accounts with the online demo will not work. Someone has probably used the demo account already and has used up the passwords generated by these demo accounts. If you want to use the online demo you're have to register a new account and have it's Hauskeys application provisioned to your phone.