On Thu, 2021-10-07 at 11:50 -0700, Russ Allbery wrote: > Ken Hornstein <k...@cmf.nrl.navy.mil> writes: > > > I am not sure of the client coverage of the OTP FAST factor, though. > > For what it's worth, although my pam-krb5 module implements FAST including > both keyed and anonymous FAST, it does not implement FAST OTP. This is > because (a) I didn't find any documentation of what I was supposed to do > as a client (it's been years since I looked so this quite possibly has > changed), and (b) attempting to set up a reasonable test environment > looked painful. In particular, there was (at the time, again haven't > checked recently) a lot of hand-waving about exactly to set up the RADIUS > part, since MIT Kerberos just treats it as an oracle.
It is somewhat documented, but see below. > I haven't checked if sssd supports FAST OTP. That seems much more likely > given that they probably have enterprise use cases that would warrant > implementing it. It does, and FreeIPA implements the server part, so you can look there for examples and testing capabilities if you are so inclined. > I'd be happy to take pull requests since I try to make pam-krb5 reasonably > completionist as a hobby (although be aware that it's a purely hobby > project at this point), but they would need to include changes to the ci > directory to set up the KDC and RADIUS server appropriately so that the > test suite could do a proper end-to-end integration test. HTH, Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
