Kerberos OTP with RADIUS for kadmin

[Greg Hudson]

On 08/16/2018 06:41 PM, John Devitofranceschi wrote:
> I’m thinking about securing Kerberos administrative principals (*/admin and the like) with OTP using RADIUS.
> 
> Will kadmin take kindly to that?

I believe it should be fine.  We don't test that particular combination 
as far as I know, but we do test kadmin with anonymous PKINIT.  I 
checked the code and it uses the appropriate interface to be able to 
prompt for an OTP code as well as the password.