Add support for Access-Challenge response for OTP/RADIUS

Alexander Bokovoy abokovoy at
Thu Jun 10 11:15:58 EDT 2021

On to, 10 kesä 2021, Greg Hudson wrote:
>On 6/9/21 3:36 AM, Alexander Bokovoy wrote:
>> - check if 'otp' string is present in the rock config
>>   - if it is present, check if it contains a challenge request flag
>>     - if challenge request flag is present, ask RADIUS server for the
>>       information and expect it to return Access-Challenge with the
>>       State attribute.
>>       - if Access-Challenge is missing, fail OTP processing
>>       - if Access-Challenge is present, set the challenge of the token
>>     info into the challenge value from the RADIUS packet
>This sounds reasonable.
>> What we also need is to preserve the state from Access-Challenge to be
>> reused when client response would come back.
>Have a look at the set_cookie() and get_cookie() callbacks in the
>kdcpreauth interface.  You can find an example of their use in

Thanks, that looks like what we need. Pavel, does this clarify a
question for you too?

/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

More information about the krbdev mailing list