Re: Always prompting for OTPFrom: Russ AllberyNewsgroups:
Tue, 10 May 2022 21:12 UTC
References: 1 2 3 4 5 6 7 8 9 10
View all headers
BuzzSaw Code <email@example.com> writes:
But that prompt is a callback to the prompter routine in pam_krb5 passed
in so I could bypass that prompt by just force feeding the "password"
into the response structure right ?
Yes, you can intercept it inside pam_krb5. It's really ugly from a
pam-krb5 architecture perspective, though, so I'm not sure I'd want to
incorporate that upstream.
I feel like we went through a very similar problem with the use_pkinit
option and we came up with some solution that didn't require doing this
response injection thing, but I seem to have swapped all of that out of my
brain. But maybe that was a different problem, since, looking at the
code, I think I used a prompter that rejected all password prompts, which
is sort of the opposite problem from the problem you're having.
Russ Allbery (firstname.lastname@example.org) https://www.eyrie.org/~eagle/