Always prompting for OTP

Russ Allbery eagle at eyrie.org
Tue May 10 14:49:23 EDT 2022


BuzzSaw Code <buzzsaw.code at gmail.com> writes:

> We want the full OTP+password string just passed without modification.

Ah, okay, so then in theory the problem could be solved entirely within
the Kerberos libraries, although I haven't wrapped my mind around the
problem Greg identified.

> It would also be nice if when we use
> try_first_pass/use_first_pass/force_first_pass options with pam_krb5
> that it actually did that in the OTP case without the extra prompt.
> no_prompt doesn't help as the password doesn't stay on the stack.

I'm assuming this is because the Kerberos library doesn't think that the
passed-in password can be sent after the FAST negotiation and therefore
re-prompts internally?  I'm not sure I entirely understand the logic flow
here.

-- 
Russ Allbery (eagle at eyrie.org)             <https://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list