OTPOverRadius IPA vs Krb

Nathaniel McCallum npmccallum at redhat.com
Wed Jun 19 14:43:26 EDT 2013

On Wed, 2013-06-12 at 00:28 -0700, Henry B. Hotz wrote:
> OK, so this isn't a question for Dimitri.  How does one set the required "user string" with kadmin?
> Would it be
> kadmin.local:  set_string smith at TEST.REALM otp "[{}]"
> kadmin.local:  

Yes. However, you should be aware that you will also need to disable
other preauth mechs, or you are not likely to get the behavior you
desire. FreeIPA does this by returning 0 keys for the user with otp
enabled. You can do this manually for all users by disabling the plugins
in the KDC. There is currently no way to delete the keys for the user
without a KDB plugin.


More information about the krbdev mailing list