PAM with OTP
Cornelius Kölbel
cornelius.koelbel at lsexperts.de
Fri Aug 23 17:41:29 EDT 2013
Am 23.08.2013 19:41, schrieb Russ Allbery:
> Cornelius Kölbel <cornelius.koelbel at lsexperts.de> writes:
>
>> Dear list members,
>> I guess this one goes to Russ Allbery. I configured OTPOverRadius and on
>> a client machine pam_krb using anonymous PKINT to get an armor ticket
>> for my OTP authentication.
>> [appdefaults]
>> pam = {
>> minimum_uid = 1000
>> anon_fast = true
>> }
>> pam_krb5 seems to come as first auth module in my pam stack, but I am
>> always asked for a password (where I can enter anything) and only then I
>> am asked for "Enter OTP Token Value".
>> How can I get rid of the first password prompt?
> no_prompt = true
>
> pam_krb5 by default always does the password prompting itself, since it
> has to have knowledge of the password internally to satisfy normal PAM
> semantics (try_first_pass and use_first_pass options on subsequent
> modules, for example). no_prompt disables this behavior and leaves all
> prompting to the Kerberos library.
>
Hi Russ,
that was easy. Hm, I think if I had read everything this would have been
written somewhere.
Thanks a lot and kind regards
Cornelius
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20130823/a12e0157/attachment.bin
More information about the krbdev
mailing list