Always prompting for OTP

I'm trying to understand if the behavior I'm seeing is by design or a bug. Using the 1.19.3 release along with Russ Allbery's pam_krb5, no matter what options are set for pam_krb5, when using one of our accounts setup for RadiusOverOTP, the krb5 library prompter asks for the OTP token. Tracing t

Re: Always prompting for OTP

> > > This is by design. The basic Kerberos protocol does not reveal the > password to the KDC, but FAST OTP does reveal the OTP value (encrypted > within the FAST channel). So for libkrb5 to transparently send the > password to the KDC when the KDC asks for FAST OTP would have security > implica

Re: Always prompting for OTP

On Tue, May 10, 2022 at 2:05 PM Russ Allbery wrote: > BuzzSaw Code writes: > > > A bad side effect of this behavior is that the calling PAM module never > > gets that OTP value so it isn't available for other modules in the > > stack, so they too prompt for crede

Re: Always prompting for OTP

On Tue, May 10, 2022 at 2:49 PM Russ Allbery wrote: > BuzzSaw Code writes: > > > We want the full OTP+password string just passed without modification. > > Ah, okay, so then in theory the problem could be solved entirely within > the Kerberos libraries, although I haven

Re: Always prompting for OTP

On Tue, May 10, 2022 at 4:54 PM Russ Allbery wrote: > Greg Hudson writes: > > > The FAST negotiation is irrelevant, except insofar as it makes the > > design of FAST OTP possible. Client preauth modules implementing OTP > > mechanisms simply don't consider the Kerberos password to be the same a

"Socket type not supported" with OTP

I've setup some new RHEL8 KDCs that will use the otp feature - I have this working on RHEL7 without issues. But on the RHEL8 hosts I'm getting "preauth (otp) verify failure: Socket type not supported" errors. Each KDC has a local radius server listening on the IPv6 loopback, so the kdc.conf has t

Re: "Socket type not supported" with OTP

Looks like I get to answer my own question, FIPS mode breaks the normal OTP setup in RHEL8: https://bugzilla.redhat.com/show_bug.cgi?id=1872689 Bleah. On Mon, Jan 9, 2023 at 11:15 PM BuzzSaw Code wrote: > > I've setup some new RHEL8 KDCs that will use the otp feature - I have > t

Re: help with OTP

What we did: - in your kdc.conf: [otp] DEFAULT = { server = localhost6:1812 secret = secrettfile strip_realm = true } This assumes your kdc runs a local RADIUS server that will answer up OTP requests. Change as needed. - create the file 'secretfile' with your share

Applying policy results in Bad encryption type

We did a server replacement of our master KDC that had been on RHEL7 for years to finally upgrade to RHEL8. We did a dump of the database prior to the swap, we still have the old server sitting around as well. Principal database is on disk in old db2 style. Kerberos version is 1.18 for RHEL8, RH

Re: Applying policy results in Bad encryption type

You nailed it - we dropped DES and switched to AES keys everywhere else a long time ago but somehow missed that. Thank you! On Tue, Mar 12, 2024 at 4:12 PM Ken Hornstein wrote: > > >We did a server replacement of our master KDC that had been on RHEL7 > >for years to finally upgrade to RHEL8. W