Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

C:\> WIN Bad command or filename C:\> LOSE Loading Microsoft Windows ...


computers / comp.protocols.kerberos / Re: Always prompting for OTP

SubjectAuthor
o Re: Always prompting for OTPRuss Allbery

1
Subject: Re: Always prompting for OTP
From: Russ Allbery
Newsgroups: comp.protocols.kerberos
Organization: The Eyrie
Date: Tue, 10 May 2022 18:05 UTC
References: 1 2 3 4
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: eag...@eyrie.org (Russ Allbery)
Newsgroups: comp.protocols.kerberos
Subject: Re: Always prompting for OTP
Date: Tue, 10 May 2022 11:05:45 -0700
Organization: The Eyrie
Lines: 16
Message-ID: <mailman.58.1652205981.8148.kerberos@mit.edu>
References: <CAJhaRZLGArFp=hu0X97yQOKy=W=YCk4eaQXip1+28Vp2oWta+w@mail.gmail.com>
<cfb89a7a-ab03-f705-ffcf-5ad01e4700dd@mit.edu>
<CAJhaRZKzi91odO9Eu87J7z6xC_EepWrxSAL++EB9Yh6HCZPufQ@mail.gmail.com>
<8735hhs1om.fsf@hope.eyrie.org>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="4525"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cc: Greg Hudson <ghudson@mit.edu>, <kerberos@mit.edu>
To: BuzzSaw Code <buzzsaw.code@gmail.com>
Authentication-Results: mit.edu;
dmarc=none (p=none dis=none) header.from=eyrie.org
Authentication-Results: mit.edu; arc=pass
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1652205980; cv=pass;
b=pKxWZK4wqq59qO2KlUkC1XEBH1js/AvbHw38HtHPQZR6pL5Nauew5bIV6Wb7FsxAGzo/WgAkfE5ifZoffqS3kpeSuHymXydFTRG0/WGMglKq293cKhj5tpvfuXYn0NyTK8FZVGzPGMshjm4qaUaWMFanHAaDieLRLyEmtD/nxeMpXdTlyQaR7b4yHCwM3/P0Qe28HhYobcP3zyxA9DaiSXzIeQgS/AUXzzr4GoCCWE3osrVxuNbe26KisiI4x61x7xM4e++5EUvc03EvuTdFy8GqquMM1ME7fLsDAT5DF0kwWzED2jAHaKbL6Hk/zQHi42W6Kh+MIwV+TPDRP4SrKQ==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1652205980;
c=relaxed/relaxed; bh=4CSiihGp5KyZhMK5BnD5TxH9MlRgaoKtmyy8hzKeAxA=;
h=From:Subject:Date:Message-ID:MIME-Version:Content-Type;
b=oeI+Pyb2PPT/eWsf2gWgMtRY2xa4kvjr1EQIVQv5Opcupe43ln1SmSPEnUGB6Trek5F71QG3eRDeh9IzzRgN0UBIIEBQL1VUeXxk0je5GX/PmIKWK9hdGoJESb4lbon4gul5VN7RLUiYtaF99f9u81AaMBscMFeeeJSboO1RWdKCGSCMUM2PPlrgru6QGoUB/005QiSJKn7JvD3rAC+rTVhtwD6cKpkJQSfczScanpYCGnlKpIHXmwKve86BnRkx3E2yuHJMnhh95O9Breh7JAyhGRPjVk2Ji8mE66DVQCfUXo7M78YrttSwqD+RVeY/g+AnUU9oNF0xNo9fYtPoqQ==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=kpR6Va5h; arc=pass
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=kpR6Va5h
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=F3d/DXrLAJ7LpUpksOxlfTssBGcZZ4LlwI1dWP2MmXem+Tmdm+S7ooW3Gfd4GeVwJ64VAHvE/wbyiH0MaRsLzQKeAG5/JLKftZmePdxIg1elEs1TKH8f+Ju6kvjo3mR8peCrS7wKyBPKkul1YIAbrE5qiFPdn3EY0e8Wf/ko5BS1aLZ1d7WlkOOF08nra7OFNRclz6T5+31U20PagzyLQ+0IeizwH000Zx1BJrdRZkHAfCr7UZzK3Ol7bf1QUeCENd5MPnkQYDEECbGfcX2LTXxm4s2zR1pSZadEhCFkc3oPQWbt0eANRID/C1ZJ42th3U9B8s3xqWGDU7KIvj1m9g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=4CSiihGp5KyZhMK5BnD5TxH9MlRgaoKtmyy8hzKeAxA=;
b=V6XoBgO0rv16HPVygJHW9//EM01vI9l76tpOdjkBtdKeMZPrJdeJmYnBE76gJB3wcoh1tTQB2mHHhaqJat1+ImBD/KO+KD2sdbfdELo7DyzsdLilJeb9N+BPe9HMdSBf9mhRggFq9Y3hTx9Uc70paxxZZuITig3Afu6iwCko1kIfKSn1gI+h0UrVtUcq3Bx5OdhJdnQZrRXY1rtypSNJRz/o8QDkeKnkazEqwojZ98elqz8wEkuybXwDgkqsMJrFp1OO700M7fQ8khRO0A+7PymE4dKJ/qRmdGOkPko6pecjtjdHg9VZamkaz852fkh41XbgFb4bHF9v4PKr2P2pgQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
166.84.7.159) smtp.rcpttodomain=mit.edu smtp.mailfrom=eyrie.org;
dmarc=bestguesspass action=none header.from=eyrie.org; dkim=none (message not
signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=4CSiihGp5KyZhMK5BnD5TxH9MlRgaoKtmyy8hzKeAxA=;
b=kpR6Va5htLtL/iO338JiP8ohnUms5uH7zcc2AWDUpYG+/UjVMN2D5exQSHuGg1rrYyKLoD7G/u2jUO7GiRCZpfg1h+CdyTv0VJwJET9xUVZmR9DCq4cwKcpqn4Og9nCxSrU9XfzO2IL2jPIs2OY1iBzm+B+8DtNEUrgIPKHTjPw=
Authentication-Results: spf=pass (sender IP is 166.84.7.159)
smtp.mailfrom=eyrie.org; dkim=none (message not signed)
header.d=none;dmarc=bestguesspass action=none header.from=eyrie.org;
Received-SPF: Pass (protection.outlook.com: domain of eyrie.org designates
166.84.7.159 as permitted sender) receiver=protection.outlook.com;
client-ip=166.84.7.159; helo=haven.eyrie.org;
In-Reply-To: <CAJhaRZKzi91odO9Eu87J7z6xC_EepWrxSAL++EB9Yh6HCZPufQ@mail.gmail.com> (BuzzSaw
Code's message of "Tue, 10 May 2022 13:51:02 -0400")
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 5d5a6b97-4bd0-4138-e155-08da32afb589
X-MS-TrafficTypeDiagnostic: DM8PR01MB7144:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <DM8PR01MB71442923D802979FAE13F57AA6C99@DM8PR01MB7144.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: D3GeuN5OnkiEZa0950VB1FV3/zP9sqIWmvfUP9rSbbFmCmgwCrbTH/UlD3/K58JbgQ6vTio7gMnccR98pL5mY5n13boWRwr9vE67mzdtO6XUeOF1WnNPOV4Au3gb4o2NqiPYNZkcxsqGJ6TK28TC/erLKk7H3gqjFY+UdwBLMjJjBV7lafsZuy/teUW9AXcbwcsjg5sSwx+KIwSLxOjnfAFVuZEdaDZeqEWBDwHWl74NkYcmCCdgvY8GB88IGXTBJdb95TlG3Bd4CkW+HMU1GdxC8TFfKYX7VGSlDRVHAs/GKO83j2Jc9UiktDO/LB0LUIGOSRSBtOjD5awRaQCM2yOqRo9OmOxDTNNXUjY7p8ydeodAbrGlhzKXu3Vr8XaS84+yDJvS9Xfz4U68KBDguOZWbr/0P1ztpTOHa09I+8xL/1l2mUVXGT8kNp17wwnxTz4ofHzdNY+Pqxd65i6p4F8L5HqIxhArTphJxdDU2r5WkFe1moS7Y+kAU8k0HjihteqB1kajX4e+J33FgzWFbgnNcnHLxb1sMqhLHtNVZiojJK6aXiFNJkRsERHfhrO+T3WG2Xp5fKYCystUDXwyAL16zop+8MWYsLXPG8Y5haCo9+nImhJrs6GfO8WjBAeDy4slYyXc7dWLp1RAXrtMQW7Pc1LQfxPnDUI9PXyEb5v7l2D4L3y7yKImOIaSblFM
X-Forefront-Antispam-Report: CIP:166.84.7.159; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:haven.eyrie.org; PTR:haven.eyrie.org; CAT:NONE;
SFS:(13230001)(4636009)(3480700007)(5660300002)(26005)(6266002)(42186006)(8676002)(4326008)(786003)(6862004)(426003)(336012)(316002)(70586007)(68406010)(2906002)(508600001)(86362001)(7636003)(7596003)(356005)(83380400001)(36916002)(4744005);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 May 2022 18:05:47.2099 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 5d5a6b97-4bd0-4138-e155-08da32afb589
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT032.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR01MB7144
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <8735hhs1om.fsf@hope.eyrie.org>
X-Mailman-Original-References: <CAJhaRZLGArFp=hu0X97yQOKy=W=YCk4eaQXip1+28Vp2oWta+w@mail.gmail.com>
<cfb89a7a-ab03-f705-ffcf-5ad01e4700dd@mit.edu>
<CAJhaRZKzi91odO9Eu87J7z6xC_EepWrxSAL++EB9Yh6HCZPufQ@mail.gmail.com>
View all headers
BuzzSaw Code <buzzsaw.code@gmail.com> writes:

A bad side effect of this behavior is that the calling PAM module never
gets that OTP value so it isn't available for other modules in the
stack, so they too prompt for credentials because they think the
password has not been entered yet.

What behavior do you expect here?  For the full OTP+password string to be
carried over to other modules in the stack, or only the password?

If the latter, I believe this inherently requires that the pam_krb5 module
know to disassemble the password (which would probably also solve your
other problems at the cost of more complexity in the PAM module).

--
Russ Allbery (eagle@eyrie.org)             https://www.eyrie.org/~eagle/


1
rocksolid light 0.7.2
clearneti2ptor