Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

You scratch my tape, and I'll scratch yours.


computers / comp.protocols.kerberos / Re: Always prompting for OTP

SubjectAuthor
o Re: Always prompting for OTPRuss Allbery

1
Subject: Re: Always prompting for OTP
From: Russ Allbery
Newsgroups: comp.protocols.kerberos
Organization: The Eyrie
Date: Tue, 10 May 2022 21:12 UTC
References: 1 2 3 4 5 6 7 8 9 10
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: eag...@eyrie.org (Russ Allbery)
Newsgroups: comp.protocols.kerberos
Subject: Re: Always prompting for OTP
Date: Tue, 10 May 2022 14:12:34 -0700
Organization: The Eyrie
Lines: 19
Message-ID: <mailman.65.1652217166.8148.kerberos@mit.edu>
References: <CAJhaRZLGArFp=hu0X97yQOKy=W=YCk4eaQXip1+28Vp2oWta+w@mail.gmail.com>
<cfb89a7a-ab03-f705-ffcf-5ad01e4700dd@mit.edu>
<CAJhaRZKzi91odO9Eu87J7z6xC_EepWrxSAL++EB9Yh6HCZPufQ@mail.gmail.com>
<8735hhs1om.fsf@hope.eyrie.org>
<CAJhaRZ+i0O37fdzNzhg8PXzPtjeEgdmwv_hAT4m2hFv9VVqeoQ@mail.gmail.com>
<87pmklql3g.fsf@hope.eyrie.org>
<250ae6d9-8607-2c6e-1f6b-418bf6ef410a@mit.edu>
<87ilqdqfbm.fsf@hope.eyrie.org>
<CAJhaRZJYY9X_090X7job_gh-R4bcXqgRhTzAEMgkcxYROfM0tA@mail.gmail.com>
<87czglqegt.fsf@hope.eyrie.org>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="10261"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cc: Greg Hudson <ghudson@mit.edu>, <kerberos@mit.edu>
To: BuzzSaw Code <buzzsaw.code@gmail.com>
Authentication-Results: mit.edu;
dmarc=none (p=none dis=none) header.from=eyrie.org
Authentication-Results: mit.edu; arc=pass
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1652217164; cv=pass;
b=mdS/vFtUlyjWyYjTO0HgA6wmY4X9dBoE9t3qUjjTZrbZmW9sVcfLl3m0AS5L4JFUKy9yyC3rVB2hGb6KFP+C6qHQ/pncY8aR4KLbI+hl1pzYA9+6b8MxHe7q2zs+rSuFXJNNfUF1l2f/YNtUBBgEslNQCh0E+ya61Dbfw7WoIukbJcdWLWqOhjZSjFf5XaPXe4L2A6h5xacbdyTbE2+tZJJnmdtStRLXDYb7Y5gOQb3Nn2G5lV76ITU1XkxTXXgKPG4AdYtnNr1SJmKNfK3K/lIEJqgqiptlpxYHOOKZqyqNmbZAkbzbvzd1ptqQalKTlY1dbGmmsIQpQbTMNquahw==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1652217164;
c=relaxed/relaxed; bh=2YdaTVl6tcW48UM0UUnhKmw9sNxvURy9lILJChN7BdQ=;
h=From:Subject:Date:Message-ID:MIME-Version:Content-Type;
b=wwMnjeGIBJR7BLEx46ad+dGlE4sK6Vq7nNohSnOn8zpP4No38nvAoB/mQWbf6eDjwN965SrLmn4hmoRmm6kjDeLyeFeOlQBUmcqJe17E3KNaUZv5I9Hak6KznoJxc1vEhDd6ED3PmTvnb9jd10NVBkRBt2xtcu2pHS7+uvfJwyLLL99QJwRLNmM0o/XAKY34jP7q3zT695YkMT6APPYBgsCjDdRt7I6i6FpjLq/cyybk7QRMtbHmnlyliqwryN+Nmt26TO2r2wzLWl8xKL5tO4Bgn/nOV9WzNe4l+kxsX2xQ5vFKOURSK1uYFV8Z72uBuUJQkZ0hvQkprxF92QoYoA==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=oNV19tUn; arc=pass
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=oNV19tUn
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=LWSoFx7kWe+Vq/YgX6k70Kps/WD2fgulk2i09QIo60x7qmTCzHXDM97Zq0onj2ofVsBfRTtFA04ZzRM/KM4cfF9BfEFscLXGa1Pz+ecCZDp6vJ7MFW4EnMFom43Z+UK6LX6gTTspTRv6D64JS1+ceJ7EW8JMvhb2PpN5QzQJp+jG2TPj1+xKJh5ns10nl+eZlY5ohgtEXshgGg8GutC8UkYw2S0ehhje7Bvb7BO52SUE2+P3FwCCNjRvJ+hcTXqxVP41BnN3l0w21Vu5XQGaKTWJ7kCyJn5Ise4HrSJoUROuME9LKOdXX92eCpeJT7LBDnzehB3ydN6YpGQNjnnUCA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=2YdaTVl6tcW48UM0UUnhKmw9sNxvURy9lILJChN7BdQ=;
b=NuzKeITLRmblIVGsiU2PL+rK5YF6PoJXUUodqdVRtVWXdtSrPKUDyhKzlu3h7oPuMDqDfzC3CRdQa/cfp8ZU4wq8qfCq3+2HYqrBmTEbEl4iCrohoM3+3iz3DHVJQxpdBSkfc1Dde1Uhk2OgNBB5UbOrEkltBTIeJGThtMawAyCLtMQrtpyIyDp3OMoIQ3XSnNmWKjHMP7CaaVtqaKo0A8uBa1m9QyYgKIUQkkzkCxGdrdEaOdpPYPeVYGw/4opLTH0X1RtEQrTZKtQNLjWQ7uU0rS2bUi76qaLB2McvZOE25BfNBKK9CkSA9NdFyIHpWNuaHW4IpeZ7oTkuJffPUQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
166.84.7.159) smtp.rcpttodomain=mit.edu smtp.mailfrom=eyrie.org;
dmarc=bestguesspass action=none header.from=eyrie.org; dkim=none (message not
signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=2YdaTVl6tcW48UM0UUnhKmw9sNxvURy9lILJChN7BdQ=;
b=oNV19tUnEMoFiUD0UnV16/nI7VytJtYAy6rEjFsw7kdL7ENr7p4lgfIiFz3IVJCHDh9T1VFXbZQ9GzC53VaAmQgkgx9lPx2jDJKT/Wq4NKA1lMLYrawslkLzsVAmGY7n64HyA0f3HJR3Sitmgf3VhrsPIjp4NBR6K70azHNdvTs=
Authentication-Results: spf=pass (sender IP is 166.84.7.159)
smtp.mailfrom=eyrie.org; dkim=none (message not signed)
header.d=none;dmarc=bestguesspass action=none header.from=eyrie.org;
Received-SPF: Pass (protection.outlook.com: domain of eyrie.org designates
166.84.7.159 as permitted sender) receiver=protection.outlook.com;
client-ip=166.84.7.159; helo=haven.eyrie.org;
In-Reply-To: <CAJhaRZJYY9X_090X7job_gh-R4bcXqgRhTzAEMgkcxYROfM0tA@mail.gmail.com> (BuzzSaw
Code's message of "Tue, 10 May 2022 16:58:17 -0400")
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: a13da3a7-e42e-4ef6-648c-08da32c9cf50
X-MS-TrafficTypeDiagnostic: SA0PR01MB6506:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <SA0PR01MB650663669D559E282BD1D6C9A6C99@SA0PR01MB6506.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: O9vxa76o/1UFZ8g5MfHBh5pB/Uz+ieZHN9F8wtXnX5ywnDFGH51+Lbr/NDO3wQfTpwGbZvS2MANsykQyQlCh1rRTxEBkuDjncpK3xNnOiBpUVMxeDld481aX2CzR2O9atx6ezr1aO3bTgkphDn9AA3ySYzMICoSgFfjUiUsWPsP7oSz0+WIE/mfSrNhuK6xfPFPtoBV/91cCjyOmp0u9CuK8Bi88OXqufhAlhdcdwRipmqiCqP//5zCLq7M0W569EVQaJGowVus/19VKBbTSVbjT/DV/HGEPnWRUJF/ZBmgK4Pi5yBs8NHJ2tf5b3TWcKBYY0P516IM5InYvnPPpP9A+UYmkTPkqF0hhmZFBC6SSrtsZ41IIgjvP/l0L3cao79kkrx5dWJ3gpnDdVm526rwgaZjAf1pRFHUjH9NLiGFoF5fHP//1e07UK/l1mUZdw0zkNQWo6w0/WXpKbtpBbkCuNWVUJgYMgBqc7wq1ZUS3ApiKdckENEqiDxjpsZnriyPCt9QER9jMjDhYh7EnFgpU8uZC/4Ow69SMtuEPDeqyvgAWGFic/ZTsGKB2kpY35RcEWlzANj9LG/2ekMhJDNzTDD5EO7IkAttQ3Jh+xvbQ+sPEjRahbXVJgmsxmIwbjceJXlEyH09XWZ1drEFp27UvMWg303XTiO3nkyVp77UV0gmHhEZwrR09npOGk+b3513Q2Hy8MoJzPAw7VfCAVw==
X-Forefront-Antispam-Report: CIP:166.84.7.159; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:haven.eyrie.org; PTR:haven.eyrie.org; CAT:NONE;
SFS:(13230001)(4636009)(508600001)(4326008)(8676002)(6862004)(70586007)(68406010)(83380400001)(26005)(6266002)(86362001)(316002)(786003)(42186006)(36916002)(356005)(3480700007)(7636003)(4744005)(7596003)(2906002)(5660300002)(336012)(426003);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 May 2022 21:12:37.3064 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: a13da3a7-e42e-4ef6-648c-08da32c9cf50
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT044.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR01MB6506
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <87czglqegt.fsf@hope.eyrie.org>
X-Mailman-Original-References: <CAJhaRZLGArFp=hu0X97yQOKy=W=YCk4eaQXip1+28Vp2oWta+w@mail.gmail.com>
<cfb89a7a-ab03-f705-ffcf-5ad01e4700dd@mit.edu>
<CAJhaRZKzi91odO9Eu87J7z6xC_EepWrxSAL++EB9Yh6HCZPufQ@mail.gmail.com>
<8735hhs1om.fsf@hope.eyrie.org>
<CAJhaRZ+i0O37fdzNzhg8PXzPtjeEgdmwv_hAT4m2hFv9VVqeoQ@mail.gmail.com>
<87pmklql3g.fsf@hope.eyrie.org>
<250ae6d9-8607-2c6e-1f6b-418bf6ef410a@mit.edu>
<87ilqdqfbm.fsf@hope.eyrie.org>
<CAJhaRZJYY9X_090X7job_gh-R4bcXqgRhTzAEMgkcxYROfM0tA@mail.gmail.com>
View all headers
BuzzSaw Code <buzzsaw.code@gmail.com> writes:

But that prompt is a callback to the prompter routine in pam_krb5 passed
in so I could bypass that prompt by just force feeding the "password"
into the response structure right ?

Yes, you can intercept it inside pam_krb5.  It's really ugly from a
pam-krb5 architecture perspective, though, so I'm not sure I'd want to
incorporate that upstream.

I feel like we went through a very similar problem with the use_pkinit
option and we came up with some solution that didn't require doing this
response injection thing, but I seem to have swapped all of that out of my
brain.  But maybe that was a different problem, since, looking at the
code, I think I used a prompter that rejected all password prompts, which
is sort of the opposite problem from the problem you're having.

--
Russ Allbery (eagle@eyrie.org)             https://www.eyrie.org/~eagle/


1
rocksolid light 0.7.2
clearneti2ptor