Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

But maybe we don't really need that... -- Larry Wall in <199709011851.LAA07101@wall.org>


computers / comp.protocols.kerberos / Re: Always prompting for OTP

SubjectAuthor
o Re: Always prompting for OTPBuzzSaw Code

1
Subject: Re: Always prompting for OTP
From: BuzzSaw Code
Newsgroups: comp.protocols.kerberos
Organization: TNet Consulting
Date: Tue, 10 May 2022 18:40 UTC
References: 1 2 3 4 5
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: buzzsaw....@gmail.com (BuzzSaw Code)
Newsgroups: comp.protocols.kerberos
Subject: Re: Always prompting for OTP
Date: Tue, 10 May 2022 14:40:41 -0400
Organization: TNet Consulting
Lines: 23
Message-ID: <mailman.59.1652208075.8148.kerberos@mit.edu>
References: <CAJhaRZLGArFp=hu0X97yQOKy=W=YCk4eaQXip1+28Vp2oWta+w@mail.gmail.com>
<cfb89a7a-ab03-f705-ffcf-5ad01e4700dd@mit.edu>
<CAJhaRZKzi91odO9Eu87J7z6xC_EepWrxSAL++EB9Yh6HCZPufQ@mail.gmail.com>
<8735hhs1om.fsf@hope.eyrie.org>
<CAJhaRZ+i0O37fdzNzhg8PXzPtjeEgdmwv_hAT4m2hFv9VVqeoQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="11586"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: Greg Hudson <ghudson@mit.edu>, kerberos@mit.edu
To: Russ Allbery <eagle@eyrie.org>
Authentication-Results: mit.edu;
dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: mit.edu; arc=pass
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1652208072; cv=pass;
b=jwSZ0dEjlQzy5fdIp1M/J2MidZ9HYFumXqyVk1KPx67nbNQnAykzgfxhfMdvDjz6txWF7xkCIhcc0/JBTULZkwBbqNsA/CJNKgEeqd1pXDCOEv0XDc/o2QqN6CCUG6yIwZ6fFIMlqJ4Fu7zD4ZOLmobIO1JpxNYxjdcQYmDT1OZ3bdClL++adZLYMycn9kVfzaq1TlPwnjQuKufEJnWb/1f98J1ISowmahRNmqnbiA5/H1xz9fIim3EkYEvwSZK0L+dUYomQCdkCBaPARptS2v35wssWzzpBrgzJvlroBZDZii5inaCSGRz2Irpl72FGR6zhLmEKYlAlW7W8kKkgHA==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1652208072;
c=relaxed/relaxed; bh=+2wmuu+htHjNh7vWt1OxSma+HqA5/BiLSlKADDc0/kw=;
h=MIME-Version:From:Date:Message-ID:Subject:Content-Type;
b=GstPQwDRvy2JkaxhFch2p18NoyAPhrnEg1UDDZz035lal3l0FG5WXtU6NWYJAewxfmZjZLFAf2jeYzXj7izVbMA44xj5cckzQv1fjtGKXXQbumW2X4TtfBEk+Utv21SD0wAgypX7qOaOmO4mJS3ZJ8OaopI1UkIwsnir29dOef3Sg1l97U5D+H4ZxDPIeQ3mdlNhihUXt8EelieFIzTSAVCOhRmUzrdVZ6uUwIvaKa5DPUXrpfOx2sSUy9OWRZIgiGnezmuLC1mrM4rzK3H57Wfb9L7rV+Q1IdeySye6Xwf9UsgloRYn/Bq1+Fu1ypuJ4b/D0eEg/hQdkuz+jUCA0A==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=K2lDJ3Mu;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b=NGup4034; arc=pass
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=K2lDJ3Mu;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b=NGup4034
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=eNcaM07NuEwEsPtFKvGLNmv59hNcl4uCiQOfHEgaZVTp4K5eLKfVqjCVhwAT9FXFJunUkezPgIFE4ToPBXjEkc9Lcrp/cYngjINjc4HmB7w3mcrE85/6CDZvitVqMzDgDhcBEV+vJbUFRdlFB9m22dKoH1OG/IuKgSutzQIQPsP/53MVYUyqVr6t3ywRBuVnw7MkGJKSDWHJFtrL9X95lgV1U2s2mD7NEcxNAuK+CMlUDfkFw2lzQX7//UZFHTwJ6/SNUtIeeDN/+tAv6eZs/c8/+moMWu+69gMbadty8JnKulIkwavxmp8BzXo39XpO7ESS2snsiXzmqbAQfR/ybA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=+2wmuu+htHjNh7vWt1OxSma+HqA5/BiLSlKADDc0/kw=;
b=aw4bQf/Olya/i+LWAaUrtb3i/T2t4s3f+G6mqMaDURpGct1GLZfF7AN3fe9OoTGjB7iSPwm0XyHrCy2w9raIyI3VSfNjiwD1+N0jsxRXm4gnnu6R5uZRYTkpc4Pd4gdpSBRCGn1a4sulwJ7YWLPO8bn5cdF+oPUKCZBsQm0n0EfhMppUripXYCFy3DpeFDpRbnbXK8zlGkv14TmSmkuDWo6h2FMwlxXqwBMsXTdNs5GcE3yFklUq+5Quy44U6Lsqv3sOZkRu4PSz+f4P4zxrNw97iT0uq2wGNnBM4EfSXoIEginA2AcggzkNCz6n+U3GcQQ3EuV6Y/ZOWKYn41d9Pg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.219.176) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass
(p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass
(signature was verified) header.d=gmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=+2wmuu+htHjNh7vWt1OxSma+HqA5/BiLSlKADDc0/kw=;
b=K2lDJ3MuR+V/PiLIjThg/lC/TwZ952jpzYC9GNd5DXUxjASfcfDA4oVci9fFIquXHHBaFdns/oi33LXO0Zab8gxyftgBQnMf5HeT4zNwwzvrtZGsEwfG6d5XAog1mvFYPhLi0nRYpizETLuH/zF4qNvI6K/ffaSPboPWxVurZSE=
Authentication-Results: spf=pass (sender IP is 209.85.219.176)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.219.176 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.219.176; helo=mail-yb1-f176.google.com;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=+2wmuu+htHjNh7vWt1OxSma+HqA5/BiLSlKADDc0/kw=;
b=NGup4034Z8BbxpmOjnYBFgdy4OeoYsFPTcikQIYnUJsVFcbt1pSdV69ONsVW1sCnnb
OsagV5aHaQ7R5j9WBfAcq1yTficYfJynHdmaIsnEqavX9JXuuVUjzb6W1qpbEFvzahl/
FelSh5NCppEynAsYWTMEfaliIUkRppaEv3ELSwHkQwbkHhrBU23zoK/nkJtd/fF+6f06
mmO6okeDnvk5WBNwCEP2yk+YlUivHzllsRniMaL+POjF04/IEu7GFLKlq9SspkqJ2C5U
r9GErKZrItIfCgshjAcMIDAlZvKe9I7eUJRzKEzGantQ2RbOnSLvnA3hisRXAXvKRwY1
Qd0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=+2wmuu+htHjNh7vWt1OxSma+HqA5/BiLSlKADDc0/kw=;
b=GZR59C2X31O37/2xCAdvsoCjiTAM4sliPr0Js/uJcAOMDh8TMQcTZXf4Y7IdrFCCm0
1gkLYCLrhzB+l37Oi2qUbH8s789UJ+GFAkGJ1fDCWbwl0zFAfF+N4dtfWpSyMrH91xBZ
U2UMASlX5UqXB/hO41fEgNNE94UsUdtd9CacpSi97BLrNt82IoNaVE0Bl7JDy0/N2GQM
XDd0yKiKlZC6QR+weGsbZ2MAvoMW64XQbA+jteFFRjUfrRI47M4xtSxHDn9LGriU7YtU
QExuYvfo/DhoDnDlsu57OKbb1z6zk86hqhqr+lGyIfYub9o2UpQjEQVwD/iowo4nZJKc
pKJQ==
X-Gm-Message-State: AOAM533LH/oe8O9pe+7RwIbaDDuu7ilZmnNFs7koGVkmMKCpgzQ1OTUJ
7wRglNdbtfhkwyGqOyQhLGXGjztWFZ0OWdGbpWU=
X-Google-Smtp-Source: ABdhPJz19O2cXP+1j3/QSzRAMr91G+9J2C68Qbd5DRJVgo6aejiyd8t/5NJHVFcrUuaS3BP2+CtwWfB0rMk1JqnLHs0=
X-Received: by 2002:a25:4506:0:b0:648:cfc2:301d with SMTP id
s6-20020a254506000000b00648cfc2301dmr19504761yba.380.1652208052223; Tue, 10
May 2022 11:40:52 -0700 (PDT)
In-Reply-To: <8735hhs1om.fsf@hope.eyrie.org>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: f5316abb-090b-48b5-3f00-08da32b49caa
X-MS-TrafficTypeDiagnostic: DM5PR01MB2603:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <DM5PR01MB26030B1C28E24C0CC9A8C5BC8AC99@DM5PR01MB2603.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: G/Rx5VwearHUfp+18jviYModKFpXVrKKHhjGTwkOmuIMtEv5ZgVd+yjkMqTZSc6VTccSgDI8A42Gx8XsbCwBzd0fNvHJvLXwR29/O2B8LsZeUZjHmN+eIXZthSrx0Ch70H42joy2uYHWdW+kv8HgEWnFka6a15b/SS1LdWI9jcQNjuquUQ9OiWEkJyKm/bR+GG3/iLfBJSsYPE6WE5n5ghe2WS6zapIvKQNkQ2WpVwuTdOAq4awQcYBsTGMwRnwX6pmM7OuRNuM1h39Mulk5cooCwdVVN2hnl54YVWWRIPwGn2SVCIcxHcv+LI+nmFxuXqsa+jAZthp8VKw//pu+h27N9t2cig300gwLpjlpDuoJKOeTj3JaBbJrHI7/QZlyrdvaE9R0D0NlPMLO8TYOSvuqatSkgOTvmZgjVAWPHnW6SVWrS1rYxMCH0A72WuYmkS7I/DXVYjZmYayYEZMN6BmFOFznsbJT1uwUjnO1n6fhja5Jfn5YRwUw5pv09czzxWEnpdm28ZFy6uYMEtVCYnRqjX6FNYBFAOTT8GmyJyug+mZdzb489eF87dC5TTxUNX4DPRBtqth/slu0paOn5K5/WuNZSWfjkyz6ePtOAuQ8onSAANZKJdZzO02zr5Jv
X-Forefront-Antispam-Report: CIP:209.85.219.176; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-yb1-f176.google.com; PTR:mail-yb1-f176.google.com;
CAT:NONE;
SFS:(13230001)(4636009)(84050400002)(82202003)(73392003)(26005)(70586007)(5660300002)(68406010)(786003)(86362001)(3480700007)(55446002)(316002)(42186006)(76482006)(6862004)(4326008)(8676002)(83380400001)(33964004)(53546011)(356005)(7636003)(6666004)(7596003)(2906002)(336012)(508600001);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 May 2022 18:40:53.0251 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f5316abb-090b-48b5-3f00-08da32b49caa
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT052.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR01MB2603
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CAJhaRZ+i0O37fdzNzhg8PXzPtjeEgdmwv_hAT4m2hFv9VVqeoQ@mail.gmail.com>
X-Mailman-Original-References: <CAJhaRZLGArFp=hu0X97yQOKy=W=YCk4eaQXip1+28Vp2oWta+w@mail.gmail.com>
<cfb89a7a-ab03-f705-ffcf-5ad01e4700dd@mit.edu>
<CAJhaRZKzi91odO9Eu87J7z6xC_EepWrxSAL++EB9Yh6HCZPufQ@mail.gmail.com>
<8735hhs1om.fsf@hope.eyrie.org>
View all headers
On Tue, May 10, 2022 at 2:05 PM Russ Allbery <eagle@eyrie.org> wrote:

BuzzSaw Code <buzzsaw.code@gmail.com> writes:

A bad side effect of this behavior is that the calling PAM module never
gets that OTP value so it isn't available for other modules in the
stack, so they too prompt for credentials because they think the
password has not been entered yet.

What behavior do you expect here?  For the full OTP+password string to be
carried over to other modules in the stack, or only the password?


We want the full OTP+password string just passed without modification.  It
would also be nice if when we use
try_first_pass/use_first_pass/force_first_pass options with pam_krb5 that
it actually did that in the OTP case without the extra prompt.  no_prompt
doesn't help as the password doesn't stay on the stack.

In this use case we're dealing with systems that use OpenPAM vs Linux-PAM
so we don't have any of  the more advanced syntax to skip modules.  We
can't use 'sufficient' to immediately jump out of the stack as we want some
of the later modules to run.


1
rocksolid light 0.7.2
clearneti2ptor