[39087] in Kerberos
Always prompting for OTP
daemon@ATHENA.MIT.EDU (BuzzSaw Code)
Tue May 10 11:51:44 2022
MIME-Version: 1.0
From: BuzzSaw Code <buzzsaw.code@gmail.com>
Date: Tue, 10 May 2022 11:47:55 -0400
Message-ID: <CAJhaRZLGArFp=hu0X97yQOKy=W=YCk4eaQXip1+28Vp2oWta+w@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I'm trying to understand if the behavior I'm seeing is by design or a bug.
Using the 1.19.3 release along with Russ Allbery's pam_krb5, no matter what
options are set for pam_krb5, when using one of our accounts setup for
RadiusOverOTP, the krb5 library prompter asks for the OTP token.
Tracing the calls and adding our own debug statements we see that the
password is being passed in to the Kerberos library routines.
It seems like the original credentials that were passed in, which is the
valid OTP "pin+password", are tossed by the krb5 library routines once the
KDC responds asking for preauth and the anonymous FAST conversation is done
no matter what.
Is there no way to tell the library to use the credentials we gave you
without asking for more information?
V/r,
DC
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
