Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

Win95 is not a virus; a virus does something. -- unknown source


computers / comp.protocols.kerberos / Re: Always prompting for OTP

SubjectAuthor
o Re: Always prompting for OTPBuzzSaw Code

1
Subject: Re: Always prompting for OTP
From: BuzzSaw Code
Newsgroups: comp.protocols.kerberos
Organization: TNet Consulting
Date: Tue, 10 May 2022 18:57 UTC
References: 1 2 3 4 5 6 7
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: buzzsaw....@gmail.com (BuzzSaw Code)
Newsgroups: comp.protocols.kerberos
Subject: Re: Always prompting for OTP
Date: Tue, 10 May 2022 14:57:53 -0400
Organization: TNet Consulting
Lines: 28
Message-ID: <mailman.61.1652209108.8148.kerberos@mit.edu>
References: <CAJhaRZLGArFp=hu0X97yQOKy=W=YCk4eaQXip1+28Vp2oWta+w@mail.gmail.com>
<cfb89a7a-ab03-f705-ffcf-5ad01e4700dd@mit.edu>
<CAJhaRZKzi91odO9Eu87J7z6xC_EepWrxSAL++EB9Yh6HCZPufQ@mail.gmail.com>
<8735hhs1om.fsf@hope.eyrie.org>
<CAJhaRZ+i0O37fdzNzhg8PXzPtjeEgdmwv_hAT4m2hFv9VVqeoQ@mail.gmail.com>
<87pmklql3g.fsf@hope.eyrie.org>
<CAJhaRZ+06Z5HQ1YBv_-7qLv83i=o8xT3KeWYqVDjTuF1KUPRzg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="15203"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: Greg Hudson <ghudson@mit.edu>, kerberos@mit.edu
To: Russ Allbery <eagle@eyrie.org>
Authentication-Results: mit.edu;
dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: mit.edu; arc=pass
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1652209107; cv=pass;
b=JrEhmzR+QkLCRZOaxyJ3DHSnO7bgOdTX6ftSuHuavhLJOnzi9zxqxowX/RKJFDMp0TT6siRnTOfLiL8s8KsNAhTiPZn6KOoyOIeOqmbzolscPpbkUU9riQf+MyxYNj/vTSstsMLp1sJ5lF5A/dwpRBg0Hquw6/DFV8a6d62wS3pIGy20UtfsLyeHXy0uO0918BdFRdEfi566zYgeRAQH3u+12eLscOKFx40ab4XCczLXkr9ksNM9jz4Jh+tOV+88ltSqG6YvV61WvjkK/yrTNy3vITxEEql+b1WfOlZmXxyWNyQ6ycynd9SRkfah+FKwg//xIoCwBClpS+mzGlBn4A==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1652209107;
c=relaxed/relaxed; bh=PXoBZPo2rm8rCbiEu4sLR3kPTmQYVgqf783FtIJiRII=;
h=MIME-Version:From:Date:Message-ID:Subject:Content-Type;
b=ciTenT2jvIjBloMRFHTNw1W+RjOa/dj30ozlp9xqeJsye4aXN/k7xWd+4s/Nr5PjFnogsrJupSBuW0ZAnGqmm8XatulhtbCoAwWK1F3Ye5Cda4QVoj9bcFwMSJh3T4Jxaa9zbNRHmkFV5L1S5JrqqNkG3dPdYSbbWim3vqhQYSfTU2txv5zHJh6UmNK0tMiDjIk3YIh03qMWt5b6WGR5QloBBp7vxymq8RsavlQSUOLWUD1Eap8pBGNivUu8LO5lhmdz+LbyIr4AujIldC3WmAKkpEF5o/96erDOZPqKzpO9aonXNkTQy42jofGxYsAlpQ9iL45Yj6hBnzVd/UoYnQ==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=IrfhwX5Z;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b=HJGX+0IW; arc=pass
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=IrfhwX5Z;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b=HJGX+0IW
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Fx7ile0Q6jjNb+v4No6kYOmY4+fYBejiJy7cuHzNRnnU5GXtXyMoC7DiRJs9c6mLKznHdNWOYD2mIiVOem8antGDqHcwODv5wHetU43IETKP/UkIL4gNJ/M6BJ4gkiBRiDB+tOfrhfCcQi63l5sO6ZZwuHQYj7rNHW+c5r0Fh+hhPLptk0Ra4t0zxjozLDMvTaBbRRbqbD9iXvD1qrt/YeYnFDLWWl07PhKAsAjCGZ+UUVHULlYZkKRzvChLh5sHWzXmpAWU6e7HciTL7r+rbaYQITCze2jiQNUk9Pxri43vGOlducsZFlp+kvENsdpHsTFbOj+1q//0h+FM0ZXphw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=PXoBZPo2rm8rCbiEu4sLR3kPTmQYVgqf783FtIJiRII=;
b=Kxator8RNDs6s/IWEF/m4cUffH77qBTGLB8Mgsx9Ey8eFzNzxNCKg9/ADKy67tI8WSliwU857lDTqP8J8miDaptuRy1uUbXrRyxoH83khfChsrUD8pufdHv8hhuDObBGZvtPc0nJebbA13BpAr7e28awCmckOelLwNqQ1g5BT0COtBX8akhHwOtjVLwp5pUJG+/Yn4BiwHIoEf/dmbCm3b54wP/9eQF39aDleoUO20cc6z/Oo0E9B1IO7oN/FhOSPCqszi/2kaYcQbmhXZEIUV0HsBq0nn5/zhmXHN9yWHyfaSigIt8/W8zALsob5kUQFr/2HkN2RQFSRTWqC6tS6g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.128.175) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass
(p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass
(signature was verified) header.d=gmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=PXoBZPo2rm8rCbiEu4sLR3kPTmQYVgqf783FtIJiRII=;
b=IrfhwX5ZK3RCASj2riQFnlt1SBve6XUPZ/zimfxcO2TNW4gxb1TUXrpH0Y/AXKdvI2tjqTrwLE7mOeMmas11895YgtEjR35e86xanarn4c+6wVIrVslcEWF46blaJJjduljorDJpTiJXsJQPETgw1tDs+5DAX5xTGKQb233wYDs=
Authentication-Results: spf=pass (sender IP is 209.85.128.175)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.128.175 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.128.175; helo=mail-yw1-f175.google.com;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=PXoBZPo2rm8rCbiEu4sLR3kPTmQYVgqf783FtIJiRII=;
b=HJGX+0IWFJuM7rsuZGpfNBQ+dl7Rd9hdx/bZ3ecC7mA5zTl4kO6/QEcEis35lv7BFY
oOclP+AAmkRIdzKligm+k3w1Whj1UlfaajD1FpKJETrQuWgiaiWbGyxjvsTaDinS7Ir/
T41CXVz5EVBRFDwbAir3MhVptjeI4JOpWMlkCMlKAK2M5AKU1HQWzMobC4yiZkm0WeBK
zEDChVDW6KuR0KqrsasYLaTBh6uZSIEcTNKY3Codo6C2R2cdq4Z8gryXPBT6n2Ij7BRJ
FQ3QrtN2tvAEBAAs+IKFCTr/LtzIQmC446NBZk3RAhRADNDjNraBEi3EbgFyIuKQfjbe
suCg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=PXoBZPo2rm8rCbiEu4sLR3kPTmQYVgqf783FtIJiRII=;
b=kkred+Agom9eNU42Obhx0EGT7fdGkOByr9czKwZ6/3ttjejEz8/Ci7TxncJwBlpkBA
pg4qRO2U7AMvtJgqMeUPWtq4mWbYemCZgecHJXtmF6tZ68yb2SzwT2QNlhTJ9ocRzfsw
a+xCNPQF7nn3M9MmHAVoWm2nujIijYP0rzbRvVeIXqZIhkOE5moWDqg4PwIBeI3U1hy7
GKDcoZDfzHjAK490mG52YrD5nYmtOpjfkGeuj5dWxFdRdDtMUYwED1sMcFBTx6gC/i0l
gKSzft3R7i8M8WBDi0IGUqZSm1HWMUIL+RV/CAWcC6kjd/xnq4mQyjGTkhur8csXRJN/
2jyw==
X-Gm-Message-State: AOAM530DZTlKl0LziUm3dhT/NxLWJBin8K/gpfQdAy1h5iomhZmbn/6q
Zd1JYYt4YheJr9sJGMACSHqq2Iwz90rCf4bDlIk=
X-Google-Smtp-Source: ABdhPJzVDuNCgAUOyW6IqNuNWk9zlAphunwMxII7skN9FZ+uKJbL7WWpeQ9M+7gVLBz/udi/WZlL0ewcNHXZ5GDxEk4=
X-Received: by 2002:a81:cf06:0:b0:2db:f404:d7b with SMTP id
u6-20020a81cf06000000b002dbf4040d7bmr21747028ywi.334.1652209084527; Tue, 10
May 2022 11:58:04 -0700 (PDT)
In-Reply-To: <87pmklql3g.fsf@hope.eyrie.org>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 7b7f5401-3321-4478-bfbe-08da32b703c8
X-MS-TrafficTypeDiagnostic: CH2PR01MB5733:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <CH2PR01MB5733A0CCA9EB7E0EC58869018AC99@CH2PR01MB5733.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: QISuOU+KTuX7XCuIxZzk4BgQautZmmxVHHklSPWTOd921oXi09i5F5sERXLmNl2ErIGsuyhvwR/pI/BKzGzazBCzrEdSYXKlpkN0thZ1vGciDqG1aJIpYrba2SzuwFY2vj01BAZrqv+trkQiRIt7hhPzNDm4uiwljutVsj9P1NTbQDox8KRV4VTwssdGDNsLur5Fech5NcuJ00XFR/ZztSWn3YOtZ4VPwxUkJ3Ei/7uJpPTrYvBkvQG4DS5dYp0vw9r4Xo7LGc6w+jX0ldbq6KWze65JtrSVnAUVpaSAiBPjqdNezuFAmM7cy/WADP2giDxFJ6SMCOayHBZ6DYSdoJew7fczOyB8Dlth3RKqTX//kQ+pl6RK4L+WXSHpuK0cn3QWs5okvfdH5wQ2m8IWW22L9NDGPv/bQioK7Sh5FmqCRMKGuDL5ECw5C5WKYckHzuEctltj+1jh+dxNrHxUKbHW5sclVqLEqtHWEjwuGpMUsPcR+ldbQLtMHdGi468w+KPW7q2Qhg1D4y6orUjOsnZjQloMTzKsddM1Nvc0rojrp2dEpGkkkEP2FBAtjw3F5PvVOemxCUBPcZbcy5e75LOSvdzFhG5Tpd8RV4T+sx05yHU+bH/UZHlw/GnU5XMb
X-Forefront-Antispam-Report: CIP:209.85.128.175; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-yw1-f175.google.com; PTR:mail-yw1-f175.google.com;
CAT:NONE;
SFS:(13230001)(4636009)(84050400002)(336012)(4326008)(8676002)(70586007)(6862004)(73392003)(76482006)(508600001)(83380400001)(68406010)(82202003)(86362001)(26005)(6666004)(55446002)(786003)(42186006)(316002)(53546011)(3480700007)(356005)(7636003)(7596003)(2906002)(5660300002)(33964004);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 May 2022 18:58:05.0082 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 7b7f5401-3321-4478-bfbe-08da32b703c8
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT018.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR01MB5733
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CAJhaRZ+06Z5HQ1YBv_-7qLv83i=o8xT3KeWYqVDjTuF1KUPRzg@mail.gmail.com>
X-Mailman-Original-References: <CAJhaRZLGArFp=hu0X97yQOKy=W=YCk4eaQXip1+28Vp2oWta+w@mail.gmail.com>
<cfb89a7a-ab03-f705-ffcf-5ad01e4700dd@mit.edu>
<CAJhaRZKzi91odO9Eu87J7z6xC_EepWrxSAL++EB9Yh6HCZPufQ@mail.gmail.com>
<8735hhs1om.fsf@hope.eyrie.org>
<CAJhaRZ+i0O37fdzNzhg8PXzPtjeEgdmwv_hAT4m2hFv9VVqeoQ@mail.gmail.com>
<87pmklql3g.fsf@hope.eyrie.org>
View all headers
On Tue, May 10, 2022 at 2:49 PM Russ Allbery <eagle@eyrie.org> wrote:

BuzzSaw Code <buzzsaw.code@gmail.com> writes:

We want the full OTP+password string just passed without modification.

Ah, okay, so then in theory the problem could be solved entirely within
the Kerberos libraries, although I haven't wrapped my mind around the
problem Greg identified.


Same - I started walking through the code but haven't tracked down the
point where it tosses the original creds.



It would also be nice if when we use
try_first_pass/use_first_pass/force_first_pass options with pam_krb5
that it actually did that in the OTP case without the extra prompt.
no_prompt doesn't help as the password doesn't stay on the stack.

I'm assuming this is because the Kerberos library doesn't think that the
passed-in password can be sent after the FAST negotiation and therefore
re-prompts internally?  I'm not sure I entirely understand the logic flow
here.


Me either - haven't been able to fullyl grasp the flow.


1
rocksolid light 0.7.2
clearneti2ptor