OTP, RADIUS, timeouts

Tollef Fog Heen tfheen at err.no
Tue Dec 23 03:48:01 EST 2014

]] Greg Hudson 

> On 12/22/2014 05:49 AM, Tollef Fog Heen wrote:
> > I'm trying to set up the MIT KDC with support for OTP tokens (yubikeys
> > in my case, as a single factor, at least initially).  I have the entire
> > bit from the RADIUS server and backwards working correctly, but I can't
> > get the KDC to see replies from the RADIUS server, it complains about
> > «connection timed out».  Platform in Debian jessie with the packaged
> > 1.12.1, but I see the same problem with a 1.13 tar.gz build.
> I'm not sure why you're getting this.  A local firewall could perhaps
> cause this problem, but I don't have high confidence in that hypothesis.
> You may need to instrument or debug the OTP verification code
> (otp_verify in src/plugins/preauth/otp/main.c) and the RADIUS server, or
> look at a packet trace with tcpdump or wireshark.

The problem goes away if I use the bundled libverto, so I suspect this
is either a bug in Debian's libverto (version 0.2.4) or the krad ↔
libverto interaction.  I've done a quick check with t_otp.py and the
0.2.6 upstream version of libverto and it seems to work better.

After a bit more digging, it turns out that the fix is:

commit e616bd59103bf86087cf652831cc3039a43971b7
Author: Nathaniel McCallum <npmccallum at redhat.com>
Date:   Fri Feb 10 01:13:30 2012 -0500

    fix libev's set_flags() implementation

diff --git a/src/verto-libev.c b/src/verto-libev.c
index 2eb08fc..9c7c324 100644
--- a/src/verto-libev.c
+++ b/src/verto-libev.c
@@ -106,7 +106,9 @@ libev_ctx_set_flags(verto_mod_ctx *ctx, const verto_ev *ev,
         if (verto_get_flags(ev) & VERTO_EV_FLAG_IO_WRITE)
             events |= EV_WRITE;
+        ev_io_stop(ctx, (ev_io*) evpriv);
         ev_io_set(((ev_io*) evpriv), verto_get_fd(ev), events);
+        ev_io_start(ctx, (ev_io*) evpriv);

After applying this to Debian's 0.2.4 libverto, I can now get a ticket
using just a Yubikey, so that's pretty cool.

I'll file a bug in Debian, hopefully Sam can get this snuck in even
though we're in a freeze.

Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

More information about the Kerberos mailing list