Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

TRANSACTION CANCELLED - FARECARD RETURNED


computers / comp.protocols.kerberos / Re: Always prompting for OTP

SubjectAuthor
o Re: Always prompting for OTPBuzzSaw Code

1
Subject: Re: Always prompting for OTP
From: BuzzSaw Code
Newsgroups: comp.protocols.kerberos
Organization: TNet Consulting
Date: Tue, 10 May 2022 20:58 UTC
References: 1 2 3 4 5 6 7 8 9
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: buzzsaw....@gmail.com (BuzzSaw Code)
Newsgroups: comp.protocols.kerberos
Subject: Re: Always prompting for OTP
Date: Tue, 10 May 2022 16:58:17 -0400
Organization: TNet Consulting
Lines: 28
Message-ID: <mailman.64.1652216336.8148.kerberos@mit.edu>
References: <CAJhaRZLGArFp=hu0X97yQOKy=W=YCk4eaQXip1+28Vp2oWta+w@mail.gmail.com>
<cfb89a7a-ab03-f705-ffcf-5ad01e4700dd@mit.edu>
<CAJhaRZKzi91odO9Eu87J7z6xC_EepWrxSAL++EB9Yh6HCZPufQ@mail.gmail.com>
<8735hhs1om.fsf@hope.eyrie.org>
<CAJhaRZ+i0O37fdzNzhg8PXzPtjeEgdmwv_hAT4m2hFv9VVqeoQ@mail.gmail.com>
<87pmklql3g.fsf@hope.eyrie.org>
<250ae6d9-8607-2c6e-1f6b-418bf6ef410a@mit.edu>
<87ilqdqfbm.fsf@hope.eyrie.org>
<CAJhaRZJYY9X_090X7job_gh-R4bcXqgRhTzAEMgkcxYROfM0tA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="6689"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: Greg Hudson <ghudson@mit.edu>, kerberos@mit.edu
To: Russ Allbery <eagle@eyrie.org>
Authentication-Results: mit.edu;
dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: mit.edu; arc=pass
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1652216334; cv=pass;
b=yq09Xaa2eryewnnGblhMlvnLZv6v4IEQ96veKUbdwSJiWxm2c3Hpuf4SELz++rBvgZhmvbxlkcUAm7ZeS9M7URMO3FyPSO9JA6g6l+cdURrY/i8a/US3GP1QXmQL+GpM4ccxDU+aIoCfKDh51MmNrlM70nBHmBqrtgl1NzBJ3UKoDM6oRvGIBys3NTmU/uTxKYeNvghRu9G3FhBmcBlLoGpSrC96J4b7C8NIBrl8Yfj70EEjiH1IAutLEkfM7XMSD9IDhdmKhi8NbkcdhIg298w4hPHpc8bOncXbaCkr8nhpFtX43zz7o1+a64O4R/ib4qUGy3Ulej5ak6DozltdKA==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1652216334;
c=relaxed/relaxed; bh=N+EkAnGE9ClECf90wvelaorO0jGNL0dA9h8YODUvZZw=;
h=MIME-Version:From:Date:Message-ID:Subject:Content-Type;
b=lr9vi9ijqXcCfNFdEQvbUc9o/XJXKHbz5XV6n59GJXwHpD0uUbMznNXFWIObG3XJdO8CZ7Z+ztM1qZdMOOO1tW6ipL3IM3G8z36c7UNN552xIuKENms+ganSqgm3DHuKFOs2KnB3PyMN3AYKpS3X54TZplpnvWUj3aKxozILev5J6Bk29fPH42QqlQgk8KCiL1D9H06N71ZVSy9y9Qg+UeRhRsXhxwHfNY9QmOqhFwIfa4uCQdoZZpJPQc0UQufr7t2xRHBIaYmZAsDez6do3zCzauHF0Ni5LSFBK8mbkPtb+OAiGxVGZv55v5NK/SNM/lx+WtktDCOfG0Ee907B2w==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=dR27U4XK;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b=CB2t6GA4; arc=pass
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=dR27U4XK;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b=CB2t6GA4
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=hkAL/zqoGaSfNV8sDhoCNLImqUeZWlH1XeDag9Txs3q7hw11H3bX+OIXDtbAM7ssGM/W81VFQ3S/kZJE97+Wpdei6KobfeF0hxWB4UHbBn3Yoa7SlrnuI9RD6Ib10RAvzkuU7klcThOkTWmG7WXJ6NSpAEiko58Bs1o8++ZWgFlluWjHwNiTuSgazPYHF5X4ZVqsetPnXTpuVtgIMBrx9n7J5+V7B4o/mvRcUG1JGrnb/OVd4wQ000NyEsHQ+NDw99W1w5bBgaghITa8hklwpWubqIgl8sc0MwcrnJQmv9wPbQqakagEI52OS1g6rOvkigGq7+9eBUc4MMzIXsMZXA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=N+EkAnGE9ClECf90wvelaorO0jGNL0dA9h8YODUvZZw=;
b=XYFKRGrgj7aamxjyfAuzmNYfMUf1rGDZZKA6KiHWIw8wHAxklno+9TGKhUNCk6LrZ/xmrGxOARghlrEaNS/UHS+GbjORfqHJxYw7FrR61ebuIS+SXqhkrU3iqOyHvSE4v7k61QBhh2QpFJvzONSIXDK2/V3HU3IyhB31plw3vx0+LVdMyScat9qoEha9e0+JJ4/rntToP0ZYdJo+htv9jaVLslCiSEYLxR7CZyNmv6I6BzTJu2QDvVnSadT64dRe/C7zTxHcVZDg2dQljcIHsPqk1DJP+JmVudmMITVoOgL8ipTaEFWT1celSzuTAVQIoa902e3pDl2eEMnG9DyoAA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.128.175) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass
(p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass
(signature was verified) header.d=gmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=N+EkAnGE9ClECf90wvelaorO0jGNL0dA9h8YODUvZZw=;
b=dR27U4XK4DmIQ/sFn4I5UyvWxn3/G/0V7GFLci47gZ9SRVFn69FOOZoClBb8NUA6Cy1Nli7R+xeBhiIXK8J1ra+tdIaWAQRr5I1BNEFu6F8n+S0xzEIn+w+fJ6tVXfiurgIPV7+WUyE3UPYQmmEKwf0yH/m0Rk6+A9TY6cl9SC8=
Authentication-Results: spf=pass (sender IP is 209.85.128.175)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.128.175 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.128.175; helo=mail-yw1-f175.google.com;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=N+EkAnGE9ClECf90wvelaorO0jGNL0dA9h8YODUvZZw=;
b=CB2t6GA4VwAluhvczxIrJEUQAcFsHr2aDFLU45uVGOKEknHqNiex2N38aHlHMMFiR9
YGoI/C/8C7+8ocpbtKhe1KiC6kg/kCvIwXdHIQML8ADb671I+bJ1cxkYHR20Kf1eXHnq
7tU0Mu/nxyGD28x77p95oHyafRvka66lqmBMZt5jp8Fy/Wy5iWkMF4LaFrDu5dyzszJb
RFEA6XfL+JZHs36dYKPVNoh5i22KOZ7Qc3CbwtIpLXpInkGnLWW8RBDfsspfMz8fNDYK
ClR/votx3LPU3UjumjLPdALfbmoYZKAGDAdFuPbb/5HkhElfTfHZCoGdnIrTQ+5UI+Pa
Byxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=N+EkAnGE9ClECf90wvelaorO0jGNL0dA9h8YODUvZZw=;
b=biR/oe/RWd/gvOSxxaStnq0aXRa+klyOESDtDz7Z83ENqxp9Gue0gczWn6RSV2WyVn
PS5nx4SV6mMjc+pwxHEwTSMyhLvtBXrhDtQPJvAgH8/E8dJy/1myx96GHQn7KKm0ZTDs
Y0z1LzdHBKBK6eFEw8n2UX4nfNh7+jQcNp4OSWDG+XLxJqe217oKWttJVEK5wTrrnnx2
5x2FOyCyP7HqhY8sYk8Xp9nm0o259DotQK2Gf+U+usr2x1YywCKYUFqTCGEDJ7vHMZsg
WnM7U+jv87sZiTCkwTjI5bh99YzErpDTFWqFNeXmNjUXaaXHQ5NRXzC0I+xjMvcEfovk
jb8g==
X-Gm-Message-State: AOAM533S1GIEeSldp7eZu6fPjbCyVzepkYqXgYweR43Akodm3ADx1B4U
vwuXMtB+1XM+Xher9XaufIoL65kPWQXbnmEcSAo=
X-Google-Smtp-Source: ABdhPJwMQc9bLdwNNpMPoTxzBRrJ85lH+8l/QnuStFmVl1ebw8XwxPDzE98Ws6jTd14gbEaMxop0c4nknaqwODV9noM=
X-Received: by 2002:a81:3252:0:b0:2f6:b826:2286 with SMTP id
y79-20020a813252000000b002f6b8262286mr21380469ywy.289.1652216308671; Tue, 10
May 2022 13:58:28 -0700 (PDT)
In-Reply-To: <87ilqdqfbm.fsf@hope.eyrie.org>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: c4378d1d-98c5-4d78-1de3-08da32c7d5c5
X-MS-TrafficTypeDiagnostic: BN6PR01MB2690:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <BN6PR01MB269058F971FBF2E9250F5FAC8AC99@BN6PR01MB2690.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 7n5HISCogOWZFs9Iu/yNHciJQcEgqSPSVBfgE6jGAMeOJ7iD07hhvHskJ3VAYcll4/GZqQ/cW+pKmQ5wjDMofBRKn8VL5P3bdxrm6tOp9j1Z58xV2BPwWb6fa+T7dAFhmMN8od/zzPXTZSO7sArx5cF/lDzeWeHVHoMZsJ5pZoFKqXmsaWK/+ZkZ7audAIQZt8a/l1lEquJzFoglPUFAcB8X8oQxoVmIy/kuIkXO9iJx6FLZYkkQ6E9DTN6AukkWi1uFIRS+KglUGCcpFTKNpStDtty1J8MJzpOU5oWqlu+696SyfGsY6p18oktNmulRw+oh37L0xR6KXFZakdrp8yDfo4UhT3/V9pvNaQRxjwhQl3RXFDz9RBFgyyDw4XsLHoVojCy/QuGxBFE4JgvX9nWut8CeRx/bnIkbXcFD8ZOz0OHm6gf9f7yVssXz0KPxO7MlXpAvP6HJfp1qVWSAFZ7yewGvcoBwttxTRJc8hH/RcbjEajk3ugN/x/Q5MlY9mnGFwS0Mcj477IPk9Vje1lg/ztEj4sxL+5/m7FP94VAq923GPCPvzTa/ZDNe/2a3sMTACqDEynYyNLFxPSJqfu2WX8WDSZBLIjk8TcJ3nwlV5dzKxFJwDSf1o83xlymG
X-Forefront-Antispam-Report: CIP:209.85.128.175; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-yw1-f175.google.com; PTR:mail-yw1-f175.google.com;
CAT:NONE;
SFS:(13230001)(4636009)(84050400002)(70586007)(68406010)(8676002)(73392003)(6862004)(3480700007)(83380400001)(336012)(4326008)(7596003)(356005)(5660300002)(7636003)(33964004)(26005)(76482006)(2906002)(53546011)(6666004)(82202003)(316002)(42186006)(508600001)(86362001)(786003)(55446002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 May 2022 20:58:29.2692 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: c4378d1d-98c5-4d78-1de3-08da32c7d5c5
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT059.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR01MB2690
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CAJhaRZJYY9X_090X7job_gh-R4bcXqgRhTzAEMgkcxYROfM0tA@mail.gmail.com>
X-Mailman-Original-References: <CAJhaRZLGArFp=hu0X97yQOKy=W=YCk4eaQXip1+28Vp2oWta+w@mail.gmail.com>
<cfb89a7a-ab03-f705-ffcf-5ad01e4700dd@mit.edu>
<CAJhaRZKzi91odO9Eu87J7z6xC_EepWrxSAL++EB9Yh6HCZPufQ@mail.gmail.com>
<8735hhs1om.fsf@hope.eyrie.org>
<CAJhaRZ+i0O37fdzNzhg8PXzPtjeEgdmwv_hAT4m2hFv9VVqeoQ@mail.gmail.com>
<87pmklql3g.fsf@hope.eyrie.org>
<250ae6d9-8607-2c6e-1f6b-418bf6ef410a@mit.edu>
<87ilqdqfbm.fsf@hope.eyrie.org>
View all headers
On Tue, May 10, 2022 at 4:54 PM Russ Allbery <eagle@eyrie.org> wrote:

Greg Hudson <ghudson@mit.edu> writes:

The FAST negotiation is irrelevant, except insofar as it makes the
design of FAST OTP possible.  Client preauth modules implementing OTP
mechanisms simply don't consider the Kerberos password to be the same as
an OTP value, so they ask for the OTP value via the responder or
prompter.

Oh, I think this was the bit that I was missing.  I was for some reason
assuming that the Kerberos library itself understood that part of the
thing passed in as a "password" was actually an OTP value and the other
part was a password, but it sounds like I was wrong to think this, and
instead the entire "password" is sent via RADIUS and it's the RADIUS
server that takes it apart into an OTP value and an actual password?

And therefore, because of that, the Kerberos library declines to send a
password passed in as an argument to krb5_get_init_creds_password to the
RADIUS server, and always forces a separate prompt, because it is really
designed for the case where the password and OTP are separate and entered
separately at two different prompts, the second (for the OTP) triggered by
the preauth mechanism?


But that prompt is a callback to the prompter routine in pam_krb5 passed in
so I could bypass that prompt by just force feeding the "password" into the
response structure right ?


1
rocksolid light 0.7.2
clearneti2ptor