Always prompting for OTP

BuzzSaw Code buzzsaw.code at gmail.com
Tue May 10 11:47:55 EDT 2022


I'm trying to understand if the behavior I'm seeing is by design or a bug.

Using the 1.19.3 release along with Russ Allbery's pam_krb5, no matter what
 options are set for pam_krb5, when using one of our accounts setup for
RadiusOverOTP, the krb5 library prompter asks for the OTP token.

Tracing the calls and adding  our own debug statements we see that the
password is being passed in to the Kerberos library routines.

It seems like the original credentials that were passed in, which is the
valid OTP "pin+password", are tossed by the krb5 library routines once the
KDC responds asking for preauth and the anonymous FAST conversation is done
no matter what.

Is there no way to tell the library to use the credentials we gave you
without asking for more information?

V/r,
DC


More information about the Kerberos mailing list