pam-krb5 4.5 released
Russ Allbery
rra at stanford.edu
Fri Feb 10 16:15:38 EST 2012
Greg Hudson <ghudson at MIT.EDU> writes:
> I think the best way to verify is using a packet trace. Trace logging
> would ordinarily be the best way, but $KRB5_TRACE won't work with a
> secure context and I don't think pam_krb5 has yet added an option to
> turn out trace logging via the API.
Not yet. :/ It's on my list, though.
>> Is there any way to eliminate the need for this first password?
> Not with the securid-sam2 preauth module. It implements the
> send-encrypted-sad method of SAM2 preauth, which requires the user's
> long-term key to be used to encrypt the OTP value.
Ah! So the pam-krb5 flag, while necessary, won't actually solve this
problem yet.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list