Add support for Access-Challenge response for OTP/RADIUS

Greg Hudson ghudson at
Thu Jun 10 10:58:07 EDT 2021

On 6/9/21 3:36 AM, Alexander Bokovoy wrote:
> - check if 'otp' string is present in the rock config
>   - if it is present, check if it contains a challenge request flag
>     - if challenge request flag is present, ask RADIUS server for the
>       information and expect it to return Access-Challenge with the
>       State attribute.
>       - if Access-Challenge is missing, fail OTP processing
>       - if Access-Challenge is present, set the challenge of the token
>     info into the challenge value from the RADIUS packet

This sounds reasonable.

> What we also need is to preserve the state from Access-Challenge to be
> reused when client response would come back.

Have a look at the set_cookie() and get_cookie() callbacks in the
kdcpreauth interface.  You can find an example of their use in

More information about the krbdev mailing list