Configuring OTPOverRadius
Greg Hudson
ghudson at MIT.EDU
Thu Aug 8 13:58:29 EDT 2013
On 08/08/2013 07:39 AM, Cornelius Kölbel wrote:
>> You might need to attach to the krb5kdc process with gdb, set a
>> breakpoint in otp_edata, and find out why it's deciding not to
>> produce a challenge for the preauth-required error.
> (gdb) break plugins/preauth/otp/main.c:197
> but it does not break - as if it did not load the otp preauth
> plugin at all. Can I stop an break somewhere where otp should be
> loaded?
It might not be loading the OTP preauth module (although no special
build or runtime configuration should be required to do so), but it's
hard to tell because you set the breakpoint using a relative-path
filename instead of the function name (otp_edata). So I don't know
whether the code isn't being touched or if your breakpoint just didn't
work because the filename didn't match because gdb thought of it as
relative to some other directory.
The OTP module is loaded in kdc_preauth.c:241 by this line of code:
k5_plugin_register_dyn(context, PLUGIN_INTERFACE_KDCPREAUTH, "otp",
"preauth");
Since your KDC can load the PKINIT preauth module, it should be able
to load the OTP module. However, make sure that the OTP module was
actually built and installed; it builds in plugins/preauth/otp/otp.so
and installs into <libdir>/krb5/plugins/preauth/otp.so.
More information about the krbdev
mailing list