On 02/10/2012 03:35 PM, Stephen Frost wrote: > First- I *think* I've done everything correct to get pam-krb5 to > use FAST (which is to say, set up k5start, verified it gets a > valid ticket, configured krb5.conf w/ the fast_ccache parameter, > etc), but I have no idea how to tell if it's *actually* getting > used.
I think the best way to verify is using a packet trace. Trace logging would ordinarily be the best way, but $KRB5_TRACE won't work with a secure context and I don't think pam_krb5 has yet added an option to turn out trace logging via the API. If you use wireshark to decode the AS-REQ, you should see padata type 136 in the request if FAST is in use. > Is there any way to eliminate the need for this first password? Not with the securid-sam2 preauth module. It implements the send-encrypted-sad method of SAM2 preauth, which requires the user's long-term key to be used to encrypt the OTP value. Work is underway on an implementation of a more modern FAST OTP mechanism which will allow this. See https://fedorahosted.org/AuthHub/ for more information. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos