Greg Hudson <ghud...@mit.edu> writes: > I think the best way to verify is using a packet trace. Trace logging > would ordinarily be the best way, but $KRB5_TRACE won't work with a > secure context and I don't think pam_krb5 has yet added an option to > turn out trace logging via the API.
Not yet. :/ It's on my list, though. >> Is there any way to eliminate the need for this first password? > Not with the securid-sam2 preauth module. It implements the > send-encrypted-sad method of SAM2 preauth, which requires the user's > long-term key to be used to encrypt the OTP value. Ah! So the pam-krb5 flag, while necessary, won't actually solve this problem yet. -- Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos