Add support for Access-Challenge response for OTP/RADIUS
ghudson at mit.edu
Tue Jun 8 12:36:58 EDT 2021
On 6/8/21 7:46 AM, Pavel Březina wrote:
> At this moment, it accepts Access-Challenge and unconditionaly sends
> another Access-Request which State attribute set. But I need help with
> delivering the prompt to the user. Can you give me some hints on how to
> deliver the prompt to the Kerberos client (e.g. kinit) and then send
> user's reply back to KDC and RADIUS server.
The RADIUS code in MIT krb5 is not designed to be a general
RADIUS-to-krb5 bridge. It's just there as a mechanism to verify a PIN
sent over FAST OTP. By the time the KDC makes a RADIUS request,
interaction with the client (and therefore the user) has already ended,
except for the delivery of an error or issued ticket.
Can you describe at a higher level what the goal is?
More information about the krbdev