BuzzSaw Code <[email protected]> writes: > A bad side effect of this behavior is that the calling PAM module never > gets that OTP value so it isn't available for other modules in the > stack, so they too prompt for credentials because they think the > password has not been entered yet.
What behavior do you expect here? For the full OTP+password string to be carried over to other modules in the stack, or only the password? If the latter, I believe this inherently requires that the pam_krb5 module know to disassemble the password (which would probably also solve your other problems at the cost of more complexity in the PAM module). -- Russ Allbery ([email protected]) <https://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
