Re: Always prompting for OTPFrom: Greg HudsonNewsgroups:
Tue, 10 May 2022 17:02 UTC
References: 1 2
View all headers
On 5/10/22 11:47, BuzzSaw Code wrote:
I'm trying to understand if the behavior I'm seeing is by design or a bug.
It seems like the original credentials that were passed in, which is the
valid OTP "pin+password", are tossed by the krb5 library routines once the
KDC responds asking for preauth and the anonymous FAST conversation is done
no matter what.
This is by design. The basic Kerberos protocol does not reveal the
password to the KDC, but FAST OTP does reveal the OTP value (encrypted
within the FAST channel). So for libkrb5 to transparently send the
password to the KDC when the KDC asks for FAST OTP would have security
pam_krb5 could work around this decision via its prompter callback, and
that might be reasonable to implement as an option.