I'm trying to understand if the behavior I'm seeing is by design or a bug. Using the 1.19.3 release along with Russ Allbery's pam_krb5, no matter what options are set for pam_krb5, when using one of our accounts setup for RadiusOverOTP, the krb5 library prompter asks for the OTP token.
Tracing the calls and adding our own debug statements we see that the password is being passed in to the Kerberos library routines. It seems like the original credentials that were passed in, which is the valid OTP "pin+password", are tossed by the krb5 library routines once the KDC responds asking for preauth and the anonymous FAST conversation is done no matter what. Is there no way to tell the library to use the credentials we gave you without asking for more information? V/r, DC ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
