On Tue, May 10, 2022 at 2:49 PM Russ Allbery <[email protected]> wrote:
> BuzzSaw Code <[email protected]> writes: > > > We want the full OTP+password string just passed without modification. > > Ah, okay, so then in theory the problem could be solved entirely within > the Kerberos libraries, although I haven't wrapped my mind around the > problem Greg identified. > Same - I started walking through the code but haven't tracked down the point where it tosses the original creds. > > > It would also be nice if when we use > > try_first_pass/use_first_pass/force_first_pass options with pam_krb5 > > that it actually did that in the OTP case without the extra prompt. > > no_prompt doesn't help as the password doesn't stay on the stack. > > I'm assuming this is because the Kerberos library doesn't think that the > passed-in password can be sent after the FAST negotiation and therefore > re-prompts internally? I'm not sure I entirely understand the logic flow > here. Me either - haven't been able to fullyl grasp the flow. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
