PAM with OTP

Russ Allbery rra at
Fri Aug 23 13:41:23 EDT 2013

Cornelius Kölbel <cornelius.koelbel at> writes:

> Dear list members,

> I guess this one goes to Russ Allbery. I configured OTPOverRadius and on
> a client machine pam_krb using anonymous PKINT to get an armor ticket
> for my OTP authentication.

> [appdefaults]
> pam = {
>    minimum_uid = 1000
>    anon_fast = true
> }

> pam_krb5 seems to come as first auth module in my pam stack, but I am
> always asked for a password (where I can enter anything) and only then I
> am asked for "Enter OTP Token Value".
> How can I get rid of the first password prompt?

no_prompt = true

pam_krb5 by default always does the password prompting itself, since it
has to have knowledge of the password internally to satisfy normal PAM
semantics (try_first_pass and use_first_pass options on subsequent
modules, for example).  no_prompt disables this behavior and leaves all
prompting to the Kerberos library.

Russ Allbery (rra at             <>

More information about the krbdev mailing list