[20292] in Kerberos_V5_Development
Re: Add support for Access-Challenge response for OTP/RADIUS
daemon@ATHENA.MIT.EDU (=?UTF-8?Q?Pavel_B=c5=99ezina?=)
Tue Jun 15 04:36:59 2021
To: Alexander Bokovoy <abokovoy@redhat.com>, Greg Hudson <ghudson@mit.edu>
From: =?UTF-8?Q?Pavel_B=c5=99ezina?= <pbrezina@redhat.com>
Message-ID: <de0f0632-f6e2-ddbe-be93-a97dc71916d8@redhat.com>
Date: Tue, 15 Jun 2021 10:36:28 +0200
MIME-Version: 1.0
In-Reply-To: <YMIsrsrXKz9qvmzh@redhat.com>
Content-Language: en-US
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 6/10/21 5:15 PM, Alexander Bokovoy wrote:
> On to, 10 kesä 2021, Greg Hudson wrote:
>> On 6/9/21 3:36 AM, Alexander Bokovoy wrote:
>>> - check if 'otp' string is present in the rock config
>>> - if it is present, check if it contains a challenge request flag
>>> - if challenge request flag is present, ask RADIUS server for the
>>> information and expect it to return Access-Challenge with the
>>> State attribute.
>>> - if Access-Challenge is missing, fail OTP processing
>>> - if Access-Challenge is present, set the challenge of the token
>>> info into the challenge value from the RADIUS packet
>>
>> This sounds reasonable.
>>
>>> What we also need is to preserve the state from Access-Challenge to be
>>> reused when client response would come back.
>>
>> Have a look at the set_cookie() and get_cookie() callbacks in the
>> kdcpreauth interface. You can find an example of their use in
>> plugins/preauth/spake/spake_kdc.c.
>
> Thanks, that looks like what we need. Pavel, does this clarify a
> question for you too?
Yes thank you. This looks doable.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
