>Ken Hornstein <[email protected]> writes: > >> I am not sure of the client coverage of the OTP FAST factor, though. > >For what it's worth, although my pam-krb5 module implements FAST including >both keyed and anonymous FAST, it does not implement FAST OTP. This is >because (a) I didn't find any documentation of what I was supposed to do >as a client (it's been years since I looked so this quite possibly has >changed),
Huh, I _kinda_ thought that if you had FAST going, you got FAST OTP (on the client at least) for free! Which shows what I know. Maybe it works already and you never tested it? >and (b) attempting to set up a reasonable test environment >looked painful. In particular, there was (at the time, again haven't >checked recently) a lot of hand-waving about exactly to set up the RADIUS >part, since MIT Kerberos just treats it as an oracle. Right, THIS is actually a huge problem. Like having to set up a RADIUS server? Ugh. It's also a problem for development! Like the only way I have found to effectively test preauth mechanisms is to do testing on one of our replica KDCs. --Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
