>I mean, this might be dumb, but why not have the kdc able to speak to >pam modules directly?
All of those things are "send me a 2FA token and I will verify it". (Also, the pam API really really wants to talk to a person, that's the whole point of the "pam conversation" functions; I don't see how you could make that work with a KDC). Kerberos is "I am going to take your password which I already know, convert it into an encryption key, and use it to verify your Kerberos request". Kerberos needs to know the password/factor to make that happen, where the typical 2FA API only tells you "is this token good or not?". I am aware of one site that a long, long time ago had developed code that you used the 2FA code as the Kerberos password directly; I never thought that was a good idea myself as the 2FA code never had a lot of entropy to serve as a good encryption key, but it worked for them. If you want to use something like TOTP, then I think you're probably going to have to write your own FAST OTP preauth module. Which is doable! Although in practice it seems like any preauth module requires access to the MIT Kerberos ASN.1 decoder/encoder API, which means an internal dependency. Sigh. Sadly, at this stage right now if you want to effectively use 2FA with Kerberos you're going to be stuck at the very minimum reading a lot of source code and protocol documents to see if you have the application coverage you need. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
