| Always prompting for OTP||BuzzSaw Code|
Always prompting for OTPFrom: BuzzSaw CodeNewsgroups:
Tue, 10 May 2022 15:47 UTC
View all headers
I'm trying to understand if the behavior I'm seeing is by design or a bug.rocksolid light 0.7.2
Using the 1.19.3 release along with Russ Allbery's pam_krb5, no matter what
options are set for pam_krb5, when using one of our accounts setup for
RadiusOverOTP, the krb5 library prompter asks for the OTP token.
Tracing the calls and adding our own debug statements we see that the
password is being passed in to the Kerberos library routines.
It seems like the original credentials that were passed in, which is the
valid OTP "pin+password", are tossed by the krb5 library routines once the
KDC responds asking for preauth and the anonymous FAST conversation is done
no matter what.
Is there no way to tell the library to use the credentials we gave you
without asking for more information?