otp over radius preauthentication

Greg Hudson ghudson at MIT.EDU
Mon May 19 10:15:08 EDT 2014

I took this off-list to avoid excessive noise.  Here is a summary of our

* Frederic was using a system verto package at version 0.2.4, which had
a bug in the libev implementation of verto_set_flags.  This was causing
the OTP plugin to be unable to see RADIUS replies.  Upgrading to verto
0.2.6 fixed the problem.  The bundled version of verto in the krb5
sources (0.2.5) is unaffected.

* There is a KDC crash bug when the principal's OTP config contains
invalid JSON.  I have submitted a fix, which will be in 1.12.2.  (This
isn't a security issue because principal OTP configuration is trusted
input.  It's a null pointer dereference only.)

* kadmin does not make it easy to set string attributes containing JSON
values because of quoting issues.  It would be good if we could address
this, but I don't have an idea at the moment.  For now you have to write
things like:

  setstr princname otp "[{""type"": ""yubikey""}]"

More information about the krbdev mailing list