OTP, RADIUS, timeouts

Greg Hudson ghudson at mit.edu
Mon Dec 22 16:26:08 EST 2014

On 12/22/2014 05:49 AM, Tollef Fog Heen wrote:
> I'm trying to set up the MIT KDC with support for OTP tokens (yubikeys
> in my case, as a single factor, at least initially).  I have the entire
> bit from the RADIUS server and backwards working correctly, but I can't
> get the KDC to see replies from the RADIUS server, it complains about
> «connection timed out».  Platform in Debian jessie with the packaged
> 1.12.1, but I see the same problem with a 1.13 tar.gz build.

I'm not sure why you're getting this.  A local firewall could perhaps
cause this problem, but I don't have high confidence in that hypothesis.
You may need to instrument or debug the OTP verification code
(otp_verify in src/plugins/preauth/otp/main.c) and the RADIUS server, or
look at a packet trace with tcpdump or wireshark.

> The problem also shows itself when running the t_otp test (where I had
> to change the type of User-Password to octets instead of string, but I
> doubt that's the problem):

Ah, thanks for pointing that out.  I had started seeing test failures in
pyrad versions new enough to try to decode string attributes as UTF-8,
but hadn't connected the problem to the attribute type in
radius_attributes.  I will file a pull request shortly, but you're right
that this isn't connected to your timeout issue.

More information about the Kerberos mailing list