On 12/22/2014 05:49 AM, Tollef Fog Heen wrote: > I'm trying to set up the MIT KDC with support for OTP tokens (yubikeys > in my case, as a single factor, at least initially). I have the entire > bit from the RADIUS server and backwards working correctly, but I can't > get the KDC to see replies from the RADIUS server, it complains about > «connection timed out». Platform in Debian jessie with the packaged > 1.12.1, but I see the same problem with a 1.13 tar.gz build.
I'm not sure why you're getting this. A local firewall could perhaps cause this problem, but I don't have high confidence in that hypothesis. You may need to instrument or debug the OTP verification code (otp_verify in src/plugins/preauth/otp/main.c) and the RADIUS server, or look at a packet trace with tcpdump or wireshark. > The problem also shows itself when running the t_otp test (where I had > to change the type of User-Password to octets instead of string, but I > doubt that's the problem): Ah, thanks for pointing that out. I had started seeing test failures in pyrad versions new enough to try to decode string attributes as UTF-8, but hadn't connected the problem to the attribute type in radius_attributes. I will file a pull request shortly, but you're right that this isn't connected to your timeout issue. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
