Re: Always prompting for OTPFrom: BuzzSaw CodeNewsgroups:
Tue, 10 May 2022 17:51 UTC
References: 1 2 3
View all headers
This is by design. The basic Kerberos protocol does not reveal the
password to the KDC, but FAST OTP does reveal the OTP value (encrypted
within the FAST channel). So for libkrb5 to transparently send the
password to the KDC when the KDC asks for FAST OTP would have security
I guess I'm missing the security issue if I'm asking it to send the
credentials originally supplied in that FAST channel. We're
using anonymous FAST so I didn't expect (or want) it to send those outside
pam_krb5 could work around this decision via its prompter callback, and
that might be reasonable to implement as an option.
I started looking at that by trying to trace down where the library removes
the password but haven't been able to follow all of the code (yet).
A bad side effect of this behavior is that the calling PAM module never
gets that OTP value so it isn't available for other modules in the stack,
so they too prompt for credentials because they think the password has not
been entered yet.