Configuring OTPOverRadius

Cornelius Kölbel cornelius.koelbel at
Thu Aug 8 07:39:45 EDT 2013

Am 07.08.2013 17:47, schrieb Greg Hudson:
> On 08/07/2013 05:05 AM, Cornelius Kölbel wrote:
>> The KDC log tells me, that the anonymous ticket was issued and the 
>> ticked based on the users password. No OTP plugin involved.
>> Aug 06 01:11:08 krb-kdc krb5kdc[29207](info): AS_REQ (6 etypes {18
>> 17 16 23 25 26}) NEEDED_PREAUTH:
>> cornelius at TEST.LSEXPERTS.DE for
>> pre-authentication required Aug 06 01:11:50 krb-kdc
>> krb5kdc[29207](info): AS_REQ (6 etypes {18 17 16 23 25 26})
>> ISSUE: authtime 1375744310, etypes {rep=18 tkt=18
>> ses=18}, cornelius at TEST.LSEXPERTS.DE for
> I'm not sure what you're missing.  If you successfully purged all of
> the keys from cornelius with purgekeys -all, there should be no
> password to authenticate with.  "getprinc cornelius" should say
> "Number of keys: 0".
> I think there's something else wrong as well, though.  Even with
> long-term keys on the cornelius entry, OTP should be offered before
> encrypted challenge and the client should prompt for it.
>> So I rebuilt with
>> ./configure CFLAGS=-g
>> ...but it brought no additional output and insight. How do you
>> recommend to increase debug and get the OTP Preauth tested?
> Building with -g just makes it easier to run a debugger on the
> binaries; it doesn't cause the binaries to generate additional output.
> You can get additional information on the client side by running kinit
> with the KRB5_TRACE environment variable set to a filename or to
> /dev/stdout.  So, for example:
>   KRB5_TRACE=/dev/stdout kinit -T /tmp/krb5cc_0 cornelius
> The first thing to check is that you are successfully using FAST.
> Near the beginning, you should see a line like:
>   FAST armor key: aes256-cts/C54D
> and a little later on you should see "Decoding FAST response", in a
> context like this:
>   Received error from KDC: -1765328359/Additional pre-authentication
> required
>   Decoding FAST response
>   Processing preauth types: 136, 19, 141, 133, 137
> The next question is what preauth types the KDC is offering.  The
> types can be translated by looking at src/include/krb5/krb5.hin and
> searching for "PADATA types".  In the above example, 136, 19, 133, and
> 137 are informational padata types, and 141 is OTP-CHALLENGE, which
> causes the client to prompt for an OTP token value.  In your case, I
> expect different output.
> If you are using FAST and the KDC is not offering OTP, then you may
> need more information from the KDC side, which unfortunately is not as
> finely instrumented yet.  You might need to attach to the krb5kdc
> process with gdb, set a breakpoint in otp_edata, and find out why it's
> deciding not to produce a challenge for the preauth-required error.
Hi Greg,
I set the breakpoint to

    (gdb) break plugins/preauth/otp/main.c:197
    No source file named plugins/preauth/otp/main.c.
    Make breakpoint pending on future shared library load? (y or [n]) y
    Breakpoint 1 (plugins/preauth/otp/main.c:197) pending.

but it does not break - as if it did not load the otp preauth plugin at all.
Can I stop an break somewhere where otp should be loaded?

Kind regards

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
Url :

More information about the krbdev mailing list