[39090] in Kerberos
Re: Always prompting for OTP
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue May 10 14:09:27 2022
From: Russ Allbery <eagle@eyrie.org>
To: BuzzSaw Code <buzzsaw.code@gmail.com>
In-Reply-To: <CAJhaRZKzi91odO9Eu87J7z6xC_EepWrxSAL++EB9Yh6HCZPufQ@mail.gmail.com> (BuzzSaw
Code's message of "Tue, 10 May 2022 13:51:02 -0400")
Date: Tue, 10 May 2022 11:05:45 -0700
Message-ID: <8735hhs1om.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
BuzzSaw Code <buzzsaw.code@gmail.com> writes:
> A bad side effect of this behavior is that the calling PAM module never
> gets that OTP value so it isn't available for other modules in the
> stack, so they too prompt for credentials because they think the
> password has not been entered yet.
What behavior do you expect here? For the full OTP+password string to be
carried over to other modules in the stack, or only the password?
If the latter, I believe this inherently requires that the pam_krb5 module
know to disassemble the password (which would probably also solve your
other problems at the cost of more complexity in the PAM module).
--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
