pam-krb5 4.5 released

Russ Allbery rra at stanford.edu
Fri Feb 10 16:15:38 EST 2012


Greg Hudson <ghudson at MIT.EDU> writes:

> I think the best way to verify is using a packet trace.  Trace logging
> would ordinarily be the best way, but $KRB5_TRACE won't work with a
> secure context and I don't think pam_krb5 has yet added an option to
> turn out trace logging via the API.

Not yet.  :/  It's on my list, though.

>> Is there any way to eliminate the need for this first password?

> Not with the securid-sam2 preauth module.  It implements the
> send-encrypted-sad method of SAM2 preauth, which requires the user's
> long-term key to be used to encrypt the OTP value.

Ah!  So the pam-krb5 flag, while necessary, won't actually solve this
problem yet.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list