otp over radius preauthentication

Frederic Van Espen frederic.ve at gmail.com
Fri May 16 02:51:22 EDT 2014

> I talked to the author of the OTP KDC plugin about this today, and we
> have only vague conjectures at this point.  We might be able to figure
> out what's going on with a raw packet dump of the kinit exchange from
> the KDC's perspective.  The list server will scrub attachments, but if
> you can send me a raw packet dump privately I will see what I can do.

Of course! For the sake of completeness, I still cc'ed the list. I
attached a pcap trace of the packets that are exchanged. I traced on
both port 88 (krb) and 1812 (radius). Here's what you'll find in the

- First an anonymous pkinit to obtain the armor ticket
- Then otp preauth.

I did these tests locally on one and the same machine. So the client
machine is the same as the server.

Let me know if there is anything else that could help you.

More information about the Kerberos mailing list