Always prompting for OTP

Russ Allbery eagle at eyrie.org
Tue May 10 17:12:34 EDT 2022


BuzzSaw Code <buzzsaw.code at gmail.com> writes:

> But that prompt is a callback to the prompter routine in pam_krb5 passed
> in so I could bypass that prompt by just force feeding the "password"
> into the response structure right ?

Yes, you can intercept it inside pam_krb5.  It's really ugly from a
pam-krb5 architecture perspective, though, so I'm not sure I'd want to
incorporate that upstream.

I feel like we went through a very similar problem with the use_pkinit
option and we came up with some solution that didn't require doing this
response injection thing, but I seem to have swapped all of that out of my
brain.  But maybe that was a different problem, since, looking at the
code, I think I used a prompter that rejected all password prompts, which
is sort of the opposite problem from the problem you're having.

-- 
Russ Allbery (eagle at eyrie.org)             <https://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list