Always prompting for OTP
Russ Allbery
eagle at eyrie.org
Tue May 10 14:05:45 EDT 2022
BuzzSaw Code <buzzsaw.code at gmail.com> writes:
> A bad side effect of this behavior is that the calling PAM module never
> gets that OTP value so it isn't available for other modules in the
> stack, so they too prompt for credentials because they think the
> password has not been entered yet.
What behavior do you expect here? For the full OTP+password string to be
carried over to other modules in the stack, or only the password?
If the latter, I believe this inherently requires that the pam_krb5 module
know to disassemble the password (which would probably also solve your
other problems at the cost of more complexity in the PAM module).
--
Russ Allbery (eagle at eyrie.org) <https://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list