Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

An Ada exception is when a routine gets in trouble and says 'Beam me up, Scotty'.


computers / comp.protocols.kerberos / Re: Always prompting for OTP

SubjectAuthor
o Re: Always prompting for OTPRuss Allbery

1
Subject: Re: Always prompting for OTP
From: Russ Allbery
Newsgroups: comp.protocols.kerberos
Organization: The Eyrie
Date: Tue, 10 May 2022 20:54 UTC
References: 1 2 3 4 5 6 7 8
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: eag...@eyrie.org (Russ Allbery)
Newsgroups: comp.protocols.kerberos
Subject: Re: Always prompting for OTP
Date: Tue, 10 May 2022 13:54:05 -0700
Organization: The Eyrie
Lines: 29
Message-ID: <mailman.63.1652216069.8148.kerberos@mit.edu>
References: <CAJhaRZLGArFp=hu0X97yQOKy=W=YCk4eaQXip1+28Vp2oWta+w@mail.gmail.com>
<cfb89a7a-ab03-f705-ffcf-5ad01e4700dd@mit.edu>
<CAJhaRZKzi91odO9Eu87J7z6xC_EepWrxSAL++EB9Yh6HCZPufQ@mail.gmail.com>
<8735hhs1om.fsf@hope.eyrie.org>
<CAJhaRZ+i0O37fdzNzhg8PXzPtjeEgdmwv_hAT4m2hFv9VVqeoQ@mail.gmail.com>
<87pmklql3g.fsf@hope.eyrie.org>
<250ae6d9-8607-2c6e-1f6b-418bf6ef410a@mit.edu>
<87ilqdqfbm.fsf@hope.eyrie.org>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="5977"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cc: BuzzSaw Code <buzzsaw.code@gmail.com>, <kerberos@mit.edu>
To: Greg Hudson <ghudson@mit.edu>
Authentication-Results: mit.edu;
dmarc=none (p=none dis=none) header.from=eyrie.org
Authentication-Results: mit.edu; arc=pass
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1652216067; cv=pass;
b=dsQJgkzrKTTejsb1bGGFAa95NCc8IFGhsz26fJV8aWXzS4KU1FOrrhbaJXHPE2jXE5HzG3txmGVmxOtKEOzji0jW2aoeYaHMuJApNzREDSzbaIjZUl5LvM8qPOmUIzz2i/kfPtcoWdYU9lQAS1GI9uCH8+WusT1bhiOP0x1Mh5W+yEgp7QobXe+841UhPwJ5tFmBe1uxZVLGCeKg00YM0qodToSZxrhwccvEw9G5UHi2+8+0OaY0M1qN4rENaXuuLdih2ySCvEjtYyx98DmFXkd6NdgMmOM9HRI1o250EVWhQ3cjo6uyhijSXvIK/pybOLYTmJGiYTxFtraZjq/08A==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1652216067;
c=relaxed/relaxed; bh=YYrcbBf9vVZuZvtYAojP4173xDVSC3eEYDlWCeviOUY=;
h=From:Subject:Date:Message-ID:MIME-Version:Content-Type;
b=zTN3IjC4bz9z4dODiY95KE8jbkkvV3++O7zyJFAtHY0I+oyEKoXvi8eMwdF38A+ozNlaV7tIE56NLPVaFgv1BqHovuTsWM63F8+z+Zc0yQxoizwCt90jtSYJ2ILaAGR0jezFcW/nvXfxv7d47to3HfE8yJAOxrI5jNFBHM1pVhLpw2MdugM2TYj/tCy/U1i6nwTWCUknxKQbMjLYlpyrcJVTpjHc5+MovqVx1m9OUm8RoTr3OdPtTbU3k6ZLM3/yHHdxEh2dZke/EmTOAICnxlIlYRs6PBQMK8V1sulHId2GzlJwhPIv/JB/PTgHotPxD8U9+A5ipTYjQ4GupqKLkg==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=MLlVFpTJ; arc=pass
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=MLlVFpTJ
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=mWKu8ZG9a3edCiYMHv6Jvn3DgEMN/J1TemVUl2xZlJ+DmFyV38i4a79QfQegZHOEG+Aix2e3NhdOBbr1JnFt4CXgRGZDse/Iys7flSTkeN52LRY82CnUTN/QkqkL109NosV1Vdi+JFNgLJ9O8t49PVA3HegiPtrLvMNy6w+zqR2luDvpEY/vd7ThV9Afyu1lY1LuYir8nnxzDPz36V0n69lKzDa3seI7Za2ymKjsbOFmeq8tvEt/6SxwhkbYgveBPfb1KUCzXpT7uh5xbZKngEn4uPfHb3SLGwV7y7hGWDwtBcZk6MyM7Wdji4isVzv7obQZR6ntYZ5fl8ACUiRvTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=YYrcbBf9vVZuZvtYAojP4173xDVSC3eEYDlWCeviOUY=;
b=YlIDJ7ZouY0rTzdW2ETmvV5tRLoP8uGWSi7q7h/joPJ4YfT+vGPRCRqvM+Du22bSYkNbUA0smzTj56moWN2MFd50UAifcLYhFvX7R8NTKTESa14mofcgGE1bLlraKi7MhTMntbwfj3y5YI2mWF4YSU08vRgskk5pavc5TIIoFVGu8AGTSH6USXrv0/S1a096GqBB3uaMLopcMdSo2sWK7sHIymUknKN0ZYfQT6Px0ZJS+sQno6oD9FGbcamHlfyRmEqbs8FyQFY4u/5jYM3DK+p8m44zyQzekA5FIMq2c59zK2d0LO9jeGY9mn4gNYjUOoBxeEoECeZLNE5GRcY7Kg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
166.84.7.159) smtp.rcpttodomain=mit.edu smtp.mailfrom=eyrie.org;
dmarc=bestguesspass action=none header.from=eyrie.org; dkim=none (message not
signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=YYrcbBf9vVZuZvtYAojP4173xDVSC3eEYDlWCeviOUY=;
b=MLlVFpTJofZyxos5BaDq/crPc3jW+qqsuxoc0Txzu2eOavrpFcXQEE9rEsD4jKrVnuJmAPtadMHanfTPSN7E/9raatsA0o0py2tewdFUNNBa3qDfHks0kpy0yZR/FPktAG4cX1xnAphj7UItCo2RA1CErTGILGTxjWVL9pn5kNY=
Authentication-Results: spf=pass (sender IP is 166.84.7.159)
smtp.mailfrom=eyrie.org; dkim=none (message not signed)
header.d=none;dmarc=bestguesspass action=none header.from=eyrie.org;
Received-SPF: Pass (protection.outlook.com: domain of eyrie.org designates
166.84.7.159 as permitted sender) receiver=protection.outlook.com;
client-ip=166.84.7.159; helo=haven.eyrie.org;
In-Reply-To: <250ae6d9-8607-2c6e-1f6b-418bf6ef410a@mit.edu> (Greg Hudson's
message of "Tue, 10 May 2022 15:46:26 -0400")
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: f8d4995a-38f8-42bd-2bd4-08da32c739df
X-MS-TrafficTypeDiagnostic: DM6PR01MB3673:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <DM6PR01MB3673811F38E77E1EF20C811DA6C99@DM6PR01MB3673.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: qoHIOGtSlTbJtzAecLLu1L77Ueuqa6wjvjOiGyZo3qS6Llo5jfm5sdHnIvsKaAIZ1DiIgU/7qwgW+9gp++/XtvcAFbIk9m0I/kL8Jwc9fgNME2UVbqfTEzpNuQbAu8y1nERtYHAZcs/uj6iNzirs7F8tzdLGpQ/3vy1B1M0pwM/2J5G0Siqiyo0xtiI7aAoW6r14vPE3HBC7ICmD+B9wxL2EzR/U9lVC6xSutWI02PP9tuY9Gi3Rqije2FkuCloFa+GzkIdyef2T/+Tfx62Mm9Wwdd1KsdFQZ6fZQ08WG8ebM+nIJo1V0GicOCZHS5T/TjnUSh+BBtsHTomx/P+7gw1bJm7FiFB18plGSwzHpod/RaNNJdarzotHGilPeaiR+BGdKjO1jG1d2hwz8K+rY9gKlN9H0qu3Wl8QV7VAn5AFQt2SuzZ8NYSg8Wr/nSIdajB2zvhE1ntYNSgVTsMjvwTSrPN3NGgV+8xlKORnjY8N9N/7jcwE735KKRHdH6buD+ANQ/tY5Fu07Hd2UexJwpCZ6pLb9BSj8o29ZYbhRMcr0Tm2RkIdeVC2leIw+D/jXkFjmXh1WaxSzeE3qhTRwWA1dYdlSFR8In+6+YiMVXJDMgBKFJ/7eLZqJ/dyZTBDc1IcUL1g6oLH54y1TcpPKWGHY7+o14OfMKT4MZCSJa/hs5Zj+EpVAh5K56HbruHF
X-Forefront-Antispam-Report: CIP:166.84.7.159; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:haven.eyrie.org; PTR:haven.eyrie.org; CAT:NONE;
SFS:(13230001)(4636009)(316002)(42186006)(6862004)(4326008)(786003)(3480700007)(26005)(6266002)(7596003)(7636003)(2906002)(70586007)(8676002)(68406010)(36916002)(508600001)(83380400001)(5660300002)(426003)(336012)(356005)(86362001);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 May 2022 20:54:07.6373 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f8d4995a-38f8-42bd-2bd4-08da32c739df
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT068.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR01MB3673
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <87ilqdqfbm.fsf@hope.eyrie.org>
X-Mailman-Original-References: <CAJhaRZLGArFp=hu0X97yQOKy=W=YCk4eaQXip1+28Vp2oWta+w@mail.gmail.com>
<cfb89a7a-ab03-f705-ffcf-5ad01e4700dd@mit.edu>
<CAJhaRZKzi91odO9Eu87J7z6xC_EepWrxSAL++EB9Yh6HCZPufQ@mail.gmail.com>
<8735hhs1om.fsf@hope.eyrie.org>
<CAJhaRZ+i0O37fdzNzhg8PXzPtjeEgdmwv_hAT4m2hFv9VVqeoQ@mail.gmail.com>
<87pmklql3g.fsf@hope.eyrie.org>
<250ae6d9-8607-2c6e-1f6b-418bf6ef410a@mit.edu>
View all headers
Greg Hudson <ghudson@mit.edu> writes:

The FAST negotiation is irrelevant, except insofar as it makes the
design of FAST OTP possible.  Client preauth modules implementing OTP
mechanisms simply don't consider the Kerberos password to be the same as
an OTP value, so they ask for the OTP value via the responder or
prompter.

Oh, I think this was the bit that I was missing.  I was for some reason
assuming that the Kerberos library itself understood that part of the
thing passed in as a "password" was actually an OTP value and the other
part was a password, but it sounds like I was wrong to think this, and
instead the entire "password" is sent via RADIUS and it's the RADIUS
server that takes it apart into an OTP value and an actual password?

And therefore, because of that, the Kerberos library declines to send a
password passed in as an argument to krb5_get_init_creds_password to the
RADIUS server, and always forces a separate prompt, because it is really
designed for the case where the password and OTP are separate and entered
separately at two different prompts, the second (for the OTP) triggered by
the preauth mechanism?

If I have this right, it feels like the root problem is the combined
password mechanism that overloads the password field to carry unrelated
additional information, but unfortunately that may be forced by the number
of protocols that are entirely unable to deal with additional PAM prompts.

--
Russ Allbery (eagle@eyrie.org)             https://www.eyrie.org/~eagle/


1
rocksolid light 0.7.2
clearneti2ptor