Always prompting for OTP

Russ Allbery eagle at eyrie.org
Tue May 10 14:05:45 EDT 2022


BuzzSaw Code <buzzsaw.code at gmail.com> writes:

> A bad side effect of this behavior is that the calling PAM module never
> gets that OTP value so it isn't available for other modules in the
> stack, so they too prompt for credentials because they think the
> password has not been entered yet.

What behavior do you expect here?  For the full OTP+password string to be
carried over to other modules in the stack, or only the password?

If the latter, I believe this inherently requires that the pam_krb5 module
know to disassemble the password (which would probably also solve your
other problems at the cost of more complexity in the PAM module).

-- 
Russ Allbery (eagle at eyrie.org)             <https://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list