[39097] in Kerberos
Re: Always prompting for OTP
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue May 10 17:16:12 2022
From: Russ Allbery <eagle@eyrie.org>
To: BuzzSaw Code <buzzsaw.code@gmail.com>
In-Reply-To: <CAJhaRZJYY9X_090X7job_gh-R4bcXqgRhTzAEMgkcxYROfM0tA@mail.gmail.com> (BuzzSaw
Code's message of "Tue, 10 May 2022 16:58:17 -0400")
Date: Tue, 10 May 2022 14:12:34 -0700
Message-ID: <87czglqegt.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
BuzzSaw Code <buzzsaw.code@gmail.com> writes:
> But that prompt is a callback to the prompter routine in pam_krb5 passed
> in so I could bypass that prompt by just force feeding the "password"
> into the response structure right ?
Yes, you can intercept it inside pam_krb5. It's really ugly from a
pam-krb5 architecture perspective, though, so I'm not sure I'd want to
incorporate that upstream.
I feel like we went through a very similar problem with the use_pkinit
option and we came up with some solution that didn't require doing this
response injection thing, but I seem to have swapped all of that out of my
brain. But maybe that was a different problem, since, looking at the
code, I think I used a prompter that rejected all password prompts, which
is sort of the opposite problem from the problem you're having.
--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
