[krbdev.mit.edu #8340] ksu broken with 2FA principals again
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Fri Jan 8 11:46:48 EST 2016
Thanks for the detailed report. This turns out to be very simple:
krb5_get_init_creds_password() accepts a prompter parameter, while the
deprecated krb5_get_in_tkt_with_password() always uses
krb5_prompter_posix(). The referenced commit passes NULL for the
prompter, so preauth modules can't prompt for additional information.
Passing krb5_prompter_posix makes it work. I will submit a PR.
More information about the krb5-bugs
mailing list