Re: Always prompting for OTPFrom: BuzzSaw CodeNewsgroups:
Tue, 10 May 2022 18:40 UTC
References: 1 2 3 4 5
View all headers
On Tue, May 10, 2022 at 2:05 PM Russ Allbery <email@example.com> wrote:
BuzzSaw Code <firstname.lastname@example.org> writes:
A bad side effect of this behavior is that the calling PAM module never
gets that OTP value so it isn't available for other modules in the
stack, so they too prompt for credentials because they think the
password has not been entered yet.
What behavior do you expect here? For the full OTP+password string to be
carried over to other modules in the stack, or only the password?
We want the full OTP+password string just passed without modification. It
would also be nice if when we use
try_first_pass/use_first_pass/force_first_pass options with pam_krb5 that
it actually did that in the OTP case without the extra prompt. no_prompt
doesn't help as the password doesn't stay on the stack.
In this use case we're dealing with systems that use OpenPAM vs Linux-PAM
so we don't have any of the more advanced syntax to skip modules. We
can't use 'sufficient' to immediately jump out of the stack as we want some
of the later modules to run.