Always prompting for OTP

BuzzSaw Code buzzsaw.code at gmail.com
Tue May 10 13:51:02 EDT 2022


>
>
> This is by design.  The basic Kerberos protocol does not reveal the
> password to the KDC, but FAST OTP does reveal the OTP value (encrypted
> within the FAST channel).  So for libkrb5 to transparently send the
> password to the KDC when the KDC asks for FAST OTP would have security
> implications.
>

I guess I'm missing the security issue if I'm asking it to send the
credentials originally supplied in that FAST channel.  We're
using anonymous FAST so I didn't expect (or want) it to send those outside
that channel.

pam_krb5 could work around this decision via its prompter callback, and
> that might be reasonable to implement as an option.
>

I started looking at that by trying to trace down where the library removes
the password but haven't been able to follow all of the code  (yet).

A bad side effect of this behavior is that the calling PAM module never
gets that OTP value so it isn't available for other modules in the stack,
so they too prompt for credentials because they think the password has not
been entered yet.


More information about the Kerberos mailing list