Add support for Access-Challenge response for OTP/RADIUS

Greg Hudson ghudson at
Tue Jun 8 12:36:58 EDT 2021

On 6/8/21 7:46 AM, Pavel Březina wrote:
> At this moment, it accepts Access-Challenge and unconditionaly sends 
> another Access-Request which State attribute set. But I need help with 
> delivering the prompt to the user. Can you give me some hints on how to 
> deliver the prompt to the Kerberos client (e.g. kinit) and then send 
> user's reply back to KDC and RADIUS server.

The RADIUS code in MIT krb5 is not designed to be a general
RADIUS-to-krb5 bridge.  It's just there as a mechanism to verify a PIN
sent over FAST OTP.  By the time the KDC makes a RADIUS request,
interaction with the client (and therefore the user) has already ended,
except for the delivery of an error or issued ticket.

Can you describe at a higher level what the goal is?

More information about the krbdev mailing list