Hello Glenn On Sonntag, 28. August 2016 01:10:12 CEST Machin, Glenn D wrote: > > Next step was to be able to use it for login/sudo. I modified the > pam_krb5 step to below in system-auth. What I see on the KDC are only > encrypted timestamp preauth.
Even if you have configured OTP, auth via encrypted timestamp should still work. I don't know if you can configure pam_krb5 not to try timestamp, but you could try purging the password from the krb-storage with kadmin.local: purgekeys -all myprinc@REALM and see if the module falls back to otp. > Next step was to be able to use it for login/sudo. you might also want to take a look at the Secure Services Storage Daemon (sssd). It supports preauth with pkinit and it should support otp w. anonymous tickets. I'm using it for sudo with sudoers coming from my ldap directory, but you could also authenticate sudo against the sssd-pam-module. > Any help would be appreciated. > Glenn Best regards Felix ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos