[20288] in Kerberos_V5_Development
Re: Add support for Access-Challenge response for OTP/RADIUS
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Jun 8 12:37:26 2021
To: =?UTF-8?Q?Pavel_B=c5=99ezina?= <pbrezina@redhat.com>, <krbdev@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <b746d225-af5e-8d05-7237-f8f000c15207@mit.edu>
Date: Tue, 8 Jun 2021 12:36:58 -0400
MIME-Version: 1.0
In-Reply-To: <5aa8aaf9-c301-b43d-3b33-3c3cea23a0c5@redhat.com>
Content-Language: en-US
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 6/8/21 7:46 AM, Pavel Březina wrote:
> At this moment, it accepts Access-Challenge and unconditionaly sends
> another Access-Request which State attribute set. But I need help with
> delivering the prompt to the user. Can you give me some hints on how to
> deliver the prompt to the Kerberos client (e.g. kinit) and then send
> user's reply back to KDC and RADIUS server.
The RADIUS code in MIT krb5 is not designed to be a general
RADIUS-to-krb5 bridge. It's just there as a mechanism to verify a PIN
sent over FAST OTP. By the time the KDC makes a RADIUS request,
interaction with the client (and therefore the user) has already ended,
except for the delivery of an error or issued ticket.
Can you describe at a higher level what the goal is?
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
