Add support for Access-Challenge response for OTP/RADIUS

Pavel Březina pbrezina at
Tue Jun 15 04:36:28 EDT 2021

On 6/10/21 5:15 PM, Alexander Bokovoy wrote:
> On to, 10 kesä 2021, Greg Hudson wrote:
>> On 6/9/21 3:36 AM, Alexander Bokovoy wrote:
>>> - check if 'otp' string is present in the rock config
>>>   - if it is present, check if it contains a challenge request flag
>>>     - if challenge request flag is present, ask RADIUS server for the
>>>       information and expect it to return Access-Challenge with the
>>>       State attribute.
>>>       - if Access-Challenge is missing, fail OTP processing
>>>       - if Access-Challenge is present, set the challenge of the token
>>>     info into the challenge value from the RADIUS packet
>> This sounds reasonable.
>>> What we also need is to preserve the state from Access-Challenge to be
>>> reused when client response would come back.
>> Have a look at the set_cookie() and get_cookie() callbacks in the
>> kdcpreauth interface.  You can find an example of their use in
>> plugins/preauth/spake/spake_kdc.c.
> Thanks, that looks like what we need. Pavel, does this clarify a
> question for you too?

Yes thank you. This looks doable.

More information about the krbdev mailing list