Always prompting for OTP
Russ Allbery
eagle at eyrie.org
Tue May 10 14:49:23 EDT 2022
BuzzSaw Code <buzzsaw.code at gmail.com> writes:
> We want the full OTP+password string just passed without modification.
Ah, okay, so then in theory the problem could be solved entirely within
the Kerberos libraries, although I haven't wrapped my mind around the
problem Greg identified.
> It would also be nice if when we use
> try_first_pass/use_first_pass/force_first_pass options with pam_krb5
> that it actually did that in the OTP case without the extra prompt.
> no_prompt doesn't help as the password doesn't stay on the stack.
I'm assuming this is because the Kerberos library doesn't think that the
passed-in password can be sent after the FAST negotiation and therefore
re-prompts internally? I'm not sure I entirely understand the logic flow
here.
--
Russ Allbery (eagle at eyrie.org) <https://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list