Always prompting for OTP
Greg Hudson
ghudson at mit.edu
Tue May 10 13:02:26 EDT 2022
On 5/10/22 11:47, BuzzSaw Code wrote:
> I'm trying to understand if the behavior I'm seeing is by design or a bug.
[...]
> It seems like the original credentials that were passed in, which is the
> valid OTP "pin+password", are tossed by the krb5 library routines once the
> KDC responds asking for preauth and the anonymous FAST conversation is done
> no matter what.
This is by design. The basic Kerberos protocol does not reveal the
password to the KDC, but FAST OTP does reveal the OTP value (encrypted
within the FAST channel). So for libkrb5 to transparently send the
password to the KDC when the KDC asks for FAST OTP would have security
implications.
pam_krb5 could work around this decision via its prompter callback, and
that might be reasonable to implement as an option.
More information about the Kerberos
mailing list