PAM with OTP

Cornelius Kölbel cornelius.koelbel at
Fri Aug 23 17:41:29 EDT 2013

Am 23.08.2013 19:41, schrieb Russ Allbery:
> Cornelius Kölbel <cornelius.koelbel at> writes:
>> Dear list members,
>> I guess this one goes to Russ Allbery. I configured OTPOverRadius and on
>> a client machine pam_krb using anonymous PKINT to get an armor ticket
>> for my OTP authentication.
>> [appdefaults]
>> pam = {
>>    minimum_uid = 1000
>>    anon_fast = true
>> }
>> pam_krb5 seems to come as first auth module in my pam stack, but I am
>> always asked for a password (where I can enter anything) and only then I
>> am asked for "Enter OTP Token Value".
>> How can I get rid of the first password prompt?
> no_prompt = true
> pam_krb5 by default always does the password prompting itself, since it
> has to have knowledge of the password internally to satisfy normal PAM
> semantics (try_first_pass and use_first_pass options on subsequent
> modules, for example).  no_prompt disables this behavior and leaves all
> prompting to the Kerberos library.
Hi Russ,

that was easy. Hm, I think if I had read everything this would have been
written somewhere.

Thanks a lot and kind regards

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
Url :

More information about the krbdev mailing list