PAM with OTP
Russ Allbery
rra at stanford.edu
Fri Aug 23 13:41:23 EDT 2013
Cornelius Kölbel <cornelius.koelbel at lsexperts.de> writes:
> Dear list members,
> I guess this one goes to Russ Allbery. I configured OTPOverRadius and on
> a client machine pam_krb using anonymous PKINT to get an armor ticket
> for my OTP authentication.
> [appdefaults]
> pam = {
> minimum_uid = 1000
> anon_fast = true
> }
> pam_krb5 seems to come as first auth module in my pam stack, but I am
> always asked for a password (where I can enter anything) and only then I
> am asked for "Enter OTP Token Value".
> How can I get rid of the first password prompt?
no_prompt = true
pam_krb5 by default always does the password prompting itself, since it
has to have knowledge of the password internally to satisfy normal PAM
semantics (try_first_pass and use_first_pass options on subsequent
modules, for example). no_prompt disables this behavior and leaves all
prompting to the Kerberos library.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list