Add support for Access-Challenge response for OTP/RADIUS

Pavel Březina pbrezina at
Tue Jun 8 07:46:17 EDT 2021

Hi Kerberos,

Kerberos currently handles only Access-Success replies from OTP/RADIUS 
and treats other messages as failure. RADIUS can also send 
Access-Challenge which asks user for more information and delivers the 
prompt inside the Reply-Message attribute.

I'm implementing support for this reply in Kerberos. Here is my WIP 

At this moment, it accepts Access-Challenge and unconditionaly sends 
another Access-Request which State attribute set. But I need help with 
delivering the prompt to the user. Can you give me some hints on how to 
deliver the prompt to the Kerberos client (e.g. kinit) and then send 
user's reply back to KDC and RADIUS server.


More information about the krbdev mailing list