[20291] in Kerberos_V5_Development
Re: Add support for Access-Challenge response for OTP/RADIUS
daemon@ATHENA.MIT.EDU (Alexander Bokovoy)
Thu Jun 10 11:16:38 2021
Date: Thu, 10 Jun 2021 18:15:58 +0300
From: Alexander Bokovoy <abokovoy@redhat.com>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <YMIsrsrXKz9qvmzh@redhat.com>
MIME-Version: 1.0
In-Reply-To: <94e04296-8cd2-83b8-286a-5594a564706c@mit.edu>
Content-Disposition: inline
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On to, 10 kesä 2021, Greg Hudson wrote:
>On 6/9/21 3:36 AM, Alexander Bokovoy wrote:
>> - check if 'otp' string is present in the rock config
>> - if it is present, check if it contains a challenge request flag
>> - if challenge request flag is present, ask RADIUS server for the
>> information and expect it to return Access-Challenge with the
>> State attribute.
>> - if Access-Challenge is missing, fail OTP processing
>> - if Access-Challenge is present, set the challenge of the token
>> info into the challenge value from the RADIUS packet
>
>This sounds reasonable.
>
>> What we also need is to preserve the state from Access-Challenge to be
>> reused when client response would come back.
>
>Have a look at the set_cookie() and get_cookie() callbacks in the
>kdcpreauth interface. You can find an example of their use in
>plugins/preauth/spake/spake_kdc.c.
Thanks, that looks like what we need. Pavel, does this clarify a
question for you too?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
