Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

All constants are variables.


computers / comp.protocols.kerberos / Always prompting for OTP

SubjectAuthor
o Always prompting for OTPBuzzSaw Code

1
Subject: Always prompting for OTP
From: BuzzSaw Code
Newsgroups: comp.protocols.kerberos
Organization: TNet Consulting
Date: Tue, 10 May 2022 15:47 UTC
References: 1
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: buzzsaw....@gmail.com (BuzzSaw Code)
Newsgroups: comp.protocols.kerberos
Subject: Always prompting for OTP
Date: Tue, 10 May 2022 11:47:55 -0400
Organization: TNet Consulting
Lines: 19
Message-ID: <mailman.55.1652197722.8148.kerberos@mit.edu>
References: <CAJhaRZLGArFp=hu0X97yQOKy=W=YCk4eaQXip1+28Vp2oWta+w@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="6264"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos@mit.edu
Authentication-Results: mit.edu;
dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: mit.edu; arc=pass
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1652197720; cv=pass;
b=T+GtMRY1gujTRdJIDs+FL6xPSMQSgGU7k3WpVW0nlKVB18n6Jlf+WzBCuQgGbcilxhYytre2hqvZaoW4/a36m898Uik2j4nFWe8pQ+yW2RFPlC/2812To24P03SokU8GedzRqKAmjVPnor45KXvPNsEeEsZULKmKEVmgvK3gwoGOG7Ac26iGwshXaSlV6aJmF9lX1bc6tn+qV+WrBuQoEDzQMmKfRJSs8Yx3H5OaSJvJ8KdtcaySC0jqtVr/znaEZomNmeJI4rkIFSW3RO8+v7vyi4mq10D7RjYZvH3lce0Y+vEwsNsTxU+RlC4+7nqkhYvE5MTp6adFSz8ymLuYvw==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1652197720;
c=relaxed/relaxed; bh=YMLAqgkVJKpGpisJZQrxq/ct8X3FwKKsedAgkAMNXQk=;
h=MIME-Version:From:Date:Message-ID:Subject:Content-Type;
b=HGR3yEADb+9LsPPXFWRYJE6hNIgllP/Z28J/nlQxWbcMmbp6ZlMp98wbIQWd29fgjwcWb4GZRs5yRn3bAFvKCSGknrJFl1jUPmat4r7pwKZHsi5r2tXbpKFdCeztrW6faWPGAwsa1ZVJvjE69LDq5Ft7khKTwQojUIUbeQtYugl3Ks4YEm5IhB3QzyjOmtZZcGNhEPzcVoXp/JzesXy+fS79KIsaPowYfI+DnD3a5ZQwy1W0XCDXgbX84UZqOiEd8hPCf3hKY2GFB80Sx+oJFd4AdUsgQtPX+TyN9ZPLVS6eM4oWTM+Y3HQ5hKsl/iRA/InJf6COXFsLUWUArTEa+w==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=nuK8cTk1;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b=n08PXwA/; arc=pass
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=nuK8cTk1;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b=n08PXwA/
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=l8hWT8Fnf66aMbaqNY6p4gb6H5odf0iK86sLrqbdivdp10QeSQ27cF31KTvXcMWZOgHw+ku3/ObgfpLmf4cf8ZX1l99W68D/74abkmwmq0DoYrjJrxyscMuPYDmXymiWBoFZJ1+CCfeWSTdc3sUf6c6CmSwKHRIjNZEXhq5QMHiLQYbKzOkAcFftLm50UxyGIYlbCB0C5LgiAIapV4Pl47mm89fv2jvQcH/hfDBw0sZo9fzY38buAaULmY5Am9OK7Q0JtG1+i7wGA8mpWiI56s3ZKdvDMJXXxEGmXCGKHSK2d5C8jxMqh0PgdMc+vQ1yJF+UstNUtn8wX/xMsIQfrg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=YMLAqgkVJKpGpisJZQrxq/ct8X3FwKKsedAgkAMNXQk=;
b=Vqmjd9TJIC8o9HKpKRzMH2QRpwgPi3bKft5+Rw5vWrJdP3tatJiUXsD9jbROsEovq3egB+IOjQdTctgmQEKn0kU0+eSixyi6FgwYWkzg/lhZNby0C/E/DzU3I3HcGyrsl70kdSTuqJUTsScz2mXlDXu4xRwOGko+Q/exXyHykwxG9y5sVCRhidA33cwzJcQ6aPw23yn445cEkME5IWIbNOrwGKYvtj2DHYAXqf8KwluaCawZCXnxIAPTrV12NlFqeAg24SiGkSI6O5xDzcDKMevLeVpAsYi6MS2/alQaX0rkC3YK66L1wKKY32YNnyhXdSJOepu+Gr5Nkx2coYh0qQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.219.182) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass
(p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass
(signature was verified) header.d=gmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=YMLAqgkVJKpGpisJZQrxq/ct8X3FwKKsedAgkAMNXQk=;
b=nuK8cTk17xAOaEgqDWTf5fHFPL/oVboSD1zLfgPdtLmodr06H/S53vQsPez6eZSwz/fq2wVvJ+numPRB+jkAaBR6TMLqjabE65OEVOubvI4+veEYhn6klHrZoe95bw+3AY0haDPlHQ6add8OSy1bNqhqiziWDN68JCEqcoMCS+g=
Authentication-Results: spf=pass (sender IP is 209.85.219.182)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.219.182 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.219.182; helo=mail-yb1-f182.google.com;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=mime-version:from:date:message-id:subject:to;
bh=YMLAqgkVJKpGpisJZQrxq/ct8X3FwKKsedAgkAMNXQk=;
b=n08PXwA/E2a6zAJqVk/0iYl2sfqy3fZzwEarewBgIclPdlIKiLe7unQ1KS0793Q8Dy
1YOzlpkNf6/Gn5AxoHgIBLxQlYZSHh1M5N5MJV/C/5arR57Rulqlo53qRhKe9o5oSjK7
CiljYafxvrjKDo1MOCd1Y8IORl5RCWORbK/SkT//DWYxgDC1FgbVMdVGEWzoE024VGCh
3fs2YLDm8hxUnJ763edQJXP19GzjSJ2O8myWv/10i7oBklbNSB6lxHV3fqLKAxJvLSz4
/3udFdxjjncCJKaRc+0e7Q1FCLPr1y8D4UHbmj04HHyKxtwOz0OmBLCo+aGHm4xoAkU9
KkLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=YMLAqgkVJKpGpisJZQrxq/ct8X3FwKKsedAgkAMNXQk=;
b=mzJwR6sqfsf8LwssHoWfdyddybstRuaHGdKaUvXxfzBCb6IvL83pRPDDuzojFWeM3k
9RAV2ZpwShEDbvgcN+UdL06q/hH2GEAbL/eF0y1ZkYEgZZgVOeCDF8GwNrh0ypvoQ97x
Pw6rlcC0AYAAP1AkA+Zu1ZBAD3+hW4cZc53EdlykuOhbradmJ/R/8qz9FxeAriMwyQPC
+mWEwIly9uZ28QEqZH+b27/Jtpezw/dhHgaUqhdKYYC7oTwx/tqQSpkR8PiF465pHZWY
J16xEWJvJoAKD8Dmhi+hHJUJpqrM1jCBCZdIGOo0F4yT4nvMMd77Y0NXbPSAopttM2RZ
RLUw==
X-Gm-Message-State: AOAM530yViDkzVOYA+eoLCqPliDSWb9JacsnfXl/zdsj+q0zZx6+6SDF
o1ozABPaspo+GYpbS85wsWZEjqZmNpv6ord+sBHu/ffm
X-Google-Smtp-Source: ABdhPJyWFVN/NBk/aMkbdnt6LMCzIFk7bbcmROolVjR6syZKGpOi5cxST/bDl7RDRPD6u/fn5UTSOTlQLbGdRmxGHJo=
X-Received: by 2002:a25:230a:0:b0:64b:49c:c67c with SMTP id
j10-20020a25230a000000b0064b049cc67cmr5060110ybj.598.1652197685782; Tue, 10
May 2022 08:48:05 -0700 (PDT)
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 0c6fbd4b-7710-41c5-d851-08da329c79b4
X-MS-TrafficTypeDiagnostic: BN8PR01MB5460:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <BN8PR01MB5460C88B9D3BEB0EA1D184938AC99@BN8PR01MB5460.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: KYWUJQRB+gVg5IzgHokRvUmgXZSnLJG4Hv5+z5bG18c2GspZCCmtZY1nJgkAzo/HSMRH+nPR9xCBYcDCKvaF2hqq3WgugGJVXyBpuSaC+mKK1nMYMxCCytftAgsa6LCGYVwd9V69jbyOUyUsnMtYIEAKjxn4zw8s4MGkbDOdpST5zzZjv+lav0SUvjLieU2up/J1Iq0SQPTfrPmnK888z8pPI4gQW/WEeKZMl981m8kPSaWRH+hsI68M5j3jHJXrKUYHPgIgpQY7LlPLhENlEaDg/eC1li7gut3T66Gdk7hzmuldnS6uyCu1j5Ib0LbiLf56mAlLWAc+YsjMqtsF4XxSrkan/24h3YgXq2Zg1/KDB6PEAGWABQkLyN6VmwRtAv4I12dpElwsk++d68vOnTGXlOGFAsPOnVj38sKitPLM+OqX+PHBCrNbuXgWzjsv75Ego1pTGrS3yDwW6MYDUzUneV2PVxpJ1iMWDhZRFn82PLoAk0/3U63M7ELY1kN4nNmtH9DppjS19MQ20xRoicZ91ifwrcSw9Z8OUnVoMVKVlK7opefPpYCENgXgk1PkJoA6UsUDtAm6b0C8OxkzUgeoHm0OuN/uZOxiPhYkHms5NKakDUadZlxs5/yU3O2G7bAuP+flGoPDnmsc+EqU5wOT+Y+cBMiKwZutvxugY6g=
X-Forefront-Antispam-Report: CIP:209.85.219.182; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-yb1-f182.google.com; PTR:mail-yb1-f182.google.com;
CAT:NONE;
SFS:(13230001)(4636009)(84050400002)(3480700007)(26005)(42186006)(8676002)(76482006)(786003)(34206002)(82202003)(336012)(316002)(70586007)(68406010)(73392003)(2906002)(6666004)(508600001)(5660300002)(86362001)(33964004)(55446002)(7636003)(7596003)(356005)(83380400001)(263294003);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 May 2022 15:48:06.4528 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 0c6fbd4b-7710-41c5-d851-08da329c79b4
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT029.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR01MB5460
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CAJhaRZLGArFp=hu0X97yQOKy=W=YCk4eaQXip1+28Vp2oWta+w@mail.gmail.com>
View all headers
I'm trying to understand if the behavior I'm seeing is by design or a bug.

Using the 1.19.3 release along with Russ Allbery's pam_krb5, no matter what
 options are set for pam_krb5, when using one of our accounts setup for
RadiusOverOTP, the krb5 library prompter asks for the OTP token.

Tracing the calls and adding  our own debug statements we see that the
password is being passed in to the Kerberos library routines.

It seems like the original credentials that were passed in, which is the
valid OTP "pin+password", are tossed by the krb5 library routines once the
KDC responds asking for preauth and the anonymous FAST conversation is done
no matter what.

Is there no way to tell the library to use the credentials we gave you
without asking for more information?

V/r,
DC


1
rocksolid light 0.7.2
clearneti2ptor