Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

If this is timesharing, give me my share right now.


computers / comp.protocols.kerberos / Re: Always prompting for OTP

SubjectAuthor
o Re: Always prompting for OTPRuss Allbery

1
Subject: Re: Always prompting for OTP
From: Russ Allbery
Newsgroups: comp.protocols.kerberos
Organization: The Eyrie
Date: Tue, 10 May 2022 18:49 UTC
References: 1 2 3 4 5 6
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: eag...@eyrie.org (Russ Allbery)
Newsgroups: comp.protocols.kerberos
Subject: Re: Always prompting for OTP
Date: Tue, 10 May 2022 11:49:23 -0700
Organization: The Eyrie
Lines: 20
Message-ID: <mailman.60.1652208582.8148.kerberos@mit.edu>
References: <CAJhaRZLGArFp=hu0X97yQOKy=W=YCk4eaQXip1+28Vp2oWta+w@mail.gmail.com>
<cfb89a7a-ab03-f705-ffcf-5ad01e4700dd@mit.edu>
<CAJhaRZKzi91odO9Eu87J7z6xC_EepWrxSAL++EB9Yh6HCZPufQ@mail.gmail.com>
<8735hhs1om.fsf@hope.eyrie.org>
<CAJhaRZ+i0O37fdzNzhg8PXzPtjeEgdmwv_hAT4m2hFv9VVqeoQ@mail.gmail.com>
<87pmklql3g.fsf@hope.eyrie.org>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="13395"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cc: Greg Hudson <ghudson@mit.edu>, <kerberos@mit.edu>
To: BuzzSaw Code <buzzsaw.code@gmail.com>
Authentication-Results: mit.edu;
dmarc=none (p=none dis=none) header.from=eyrie.org
Authentication-Results: mit.edu; arc=pass
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1652208581; cv=pass;
b=Vcjc/R20fU3OutsVLKrBpySYXLID5FVQpJL9V91m0bFQmrxizGMugOcvDraeGJExwYKoYPLBTQ7k95L/hL1Bf2vrhc2ZeThpZGo3eCLID0fvtwjX+KM0LKz81i2NswWazm5vvJuutzrynlWrEEWss4ilGr0GQjKWDdy7UlzGbNDEJotIaSx9ZDsMBAt78xix3rxY8UFzkWsYZCFa7pmDgtuEyN/hjnpE3dYZc9vE+GWC2izaZeAX8VjlSUS1ymGeKdp8ymhUdjEjZy3+SZYL3HYSDOExYxb4JatAEKlMnT2U1rzUDyj6sNC5S1bk1DICpnT4lwMMZT3YH6xWm5sAow==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1652208581;
c=relaxed/relaxed; bh=d00KfslXNpJNYKBrbyw/Q/FSWXQ1YPqPsQ15QzDJpuo=;
h=From:Subject:Date:Message-ID:MIME-Version:Content-Type;
b=PB0HAkY/OXgYcXMjoaDwIcYr5FfWdQ3P1SZ2oXh8efyCdGdgC/JvuSEXg3qHDx51sZNG12zQYDXYuVtNYmHAjCZRUYfJuWsciymOMwP3/mEH7/6zvr8ctTOlDukJETiRpyOt9lI/W0sNVu8nIX1vTgjQmm1t1Y4UsrYJD0Tw51sxjDI3o/c3bYj1h/kvNfAfQbR1w3ueFbDjccYZ3qn32Qu8fPVOKTiE92V//6RPPy2TxoJFrUjYhaQwKW8UP8HRtiPziO/ir8/4eoeVYXj9lR91MaY1WRsOzQw607+dfhEbq/9mcCXM2/ImWSadE5sOlex/CaJSanJtuGc/mqyH2A==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=XU/ojmJs; arc=pass
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=XU/ojmJs
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Ghk/AVMdNzICfmwlH27pd/jOgAIqtAFec5SvtA+OC7SB1MKi0y/nsUDvrQ01X2n90rVok4LaYpCpnN1Flw/+b141tOFueRBZXizo/0jCvCjQYMsMLrkxIwuHlm79PmqzzkyO9oJsFBv1tAbaSW1Y8bUPTYsAmwYS1B5L04le/EKmHRmJrGF4+PjzARAQai7jmK+kl88zImDKpUNmfF0OxXj5M5I6weyqVZpGuvou8bh6aaEmB5b6uRJ1lNItO1Sw6peksiVl3DkIfUd2DhgRSaTyr97zGo+TFQWU2+BkIcRTc2Btu51hetTqfdykU6owdEurkyLj5osv7kBiQslmag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=d00KfslXNpJNYKBrbyw/Q/FSWXQ1YPqPsQ15QzDJpuo=;
b=jfukG9E/HoxPY6NSpr2+hr7d54LtoToe97mnD0qjlSoHk26fwp4DBdJM/79RNPKMZyHFxwzGbWEgczrBy39QTf/wX1R/xYmZO6uCLiBa/UmtgASoMCOAeLfFMnFrd23HpW+KdQ5POM1HP4BJs5pKDZZjQUTHnkZjpSPupAkRH8fB1kCYnU4YVsUftE+mnBWw4zjZ06BWko9q8MIQSuWWWAEpuKESSQHAIYWkhlyAp98U/hYNw12kQ24qeJ2zpG5IfEnY3lnDrrJmb3msG46km3ctLqWw1UcZmoWW5tlkAMic6JdNp3mAFktxpneMtVzyMiqk8icF7/k9UAiaS1PWcg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
166.84.7.159) smtp.rcpttodomain=mit.edu smtp.mailfrom=eyrie.org;
dmarc=bestguesspass action=none header.from=eyrie.org; dkim=none (message not
signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=d00KfslXNpJNYKBrbyw/Q/FSWXQ1YPqPsQ15QzDJpuo=;
b=XU/ojmJsG6p6Om2AjqpR4vLRVzvoJ0T/5qID/xGWAy9gGAT+7WXbMIBh5fnaQNgjXuZCXVLaREF88OqkXVBQ3sZCaOwvwEtmzXsizxZjOBanMAx6V4OVo+J6QP6RU2QBpdHaePgtDPjfqRIjmEchBmvGogwxvfYbtmqFxb9HA3I=
Authentication-Results: spf=pass (sender IP is 166.84.7.159)
smtp.mailfrom=eyrie.org; dkim=none (message not signed)
header.d=none;dmarc=bestguesspass action=none header.from=eyrie.org;
Received-SPF: Pass (protection.outlook.com: domain of eyrie.org designates
166.84.7.159 as permitted sender) receiver=protection.outlook.com;
client-ip=166.84.7.159; helo=haven.eyrie.org;
In-Reply-To: <CAJhaRZ+i0O37fdzNzhg8PXzPtjeEgdmwv_hAT4m2hFv9VVqeoQ@mail.gmail.com> (BuzzSaw
Code's message of "Tue, 10 May 2022 14:40:41 -0400")
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 0c0ec145-32b0-4b12-63f2-08da32b5ce99
X-MS-TrafficTypeDiagnostic: BL0PR01MB4305:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <BL0PR01MB43051D588976026F34358EF4A6C99@BL0PR01MB4305.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: oewiMXGjwbt9mpcY9uKPYOm9hx2OuEEMFZ6b49gwQAvvgNgfVnumfy4qSch9ANkt/iKcePtLlLwWOYYBR90Z39HLaOiWO0b7Im4l5nt9xuWbB6ru+hmE+QVFxBn2mUq6CD6FyuIANqwzyg12r4T1GUDZf7lnS+784scnH31REwUx9pGkOXNItEnuTXC6tNsxPml8T1ojhg29c0HGu4rXgmzg3newP7j1xGihAO9mZ76vnGVH2UJ+YWxOV7BXOl6+LRqkHQdEpNFpqy3YMK4oGaAJEIfwIFi6cUsrixpBhjOW4yZPUFimtiWs6rUPNCl2TKLIRTQE3kDTyBDJ1z8s2pr042x236wp33PvKHFFUbeQp9oauaVk6PXnIwJs1YVH+fqiSfPY1Dy1QO4nyuTIw9T54htA01zDKeFLipdP7Qzmn/Jb459u043gfpngNY/QUvQ+mq3yRkfTfDdMUA1xr/8BshImIwUyI+mbpYVwIrHiL98uhw5gvXtBZS3U9nzO4X4DuH3DIsU6Pg2rGwwiJSIFEPxK8Sshz6X/eOvEL2dXS56Q8200RL72UmXLXH2NHzVeWzxN+xNRoSfbuOG1mzOBqQR8ufiJl10EANjcoIVgK+DMWunxPNHtlh3Bw97xyoVxRtU51wdn2QyBZn0KugHa++NWJJhS2ox0VXCD4n1xhdgya0lsDQjz5lvipUXL6Koq7+gNBZcPe4BX4Sx95w==
X-Forefront-Antispam-Report: CIP:166.84.7.159; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:haven.eyrie.org; PTR:haven.eyrie.org; CAT:NONE;
SFS:(13230001)(4636009)(2906002)(426003)(336012)(83380400001)(5660300002)(4744005)(8676002)(4326008)(6862004)(70586007)(786003)(42186006)(86362001)(316002)(68406010)(6266002)(7636003)(26005)(7596003)(36916002)(508600001)(356005)(3480700007);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 May 2022 18:49:26.1725 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 0c0ec145-32b0-4b12-63f2-08da32b5ce99
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT029.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR01MB4305
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <87pmklql3g.fsf@hope.eyrie.org>
X-Mailman-Original-References: <CAJhaRZLGArFp=hu0X97yQOKy=W=YCk4eaQXip1+28Vp2oWta+w@mail.gmail.com>
<cfb89a7a-ab03-f705-ffcf-5ad01e4700dd@mit.edu>
<CAJhaRZKzi91odO9Eu87J7z6xC_EepWrxSAL++EB9Yh6HCZPufQ@mail.gmail.com>
<8735hhs1om.fsf@hope.eyrie.org>
<CAJhaRZ+i0O37fdzNzhg8PXzPtjeEgdmwv_hAT4m2hFv9VVqeoQ@mail.gmail.com>
View all headers
BuzzSaw Code <buzzsaw.code@gmail.com> writes:

We want the full OTP+password string just passed without modification.

Ah, okay, so then in theory the problem could be solved entirely within
the Kerberos libraries, although I haven't wrapped my mind around the
problem Greg identified.

It would also be nice if when we use
try_first_pass/use_first_pass/force_first_pass options with pam_krb5
that it actually did that in the OTP case without the extra prompt.
no_prompt doesn't help as the password doesn't stay on the stack.

I'm assuming this is because the Kerberos library doesn't think that the
passed-in password can be sent after the FAST negotiation and therefore
re-prompts internally?  I'm not sure I entirely understand the logic flow
here.

--
Russ Allbery (eagle@eyrie.org)             https://www.eyrie.org/~eagle/


1
rocksolid light 0.7.2
clearneti2ptor