Ken Hornstein <k...@cmf.nrl.navy.mil> writes: > I am not sure of the client coverage of the OTP FAST factor, though.
For what it's worth, although my pam-krb5 module implements FAST including both keyed and anonymous FAST, it does not implement FAST OTP. This is because (a) I didn't find any documentation of what I was supposed to do as a client (it's been years since I looked so this quite possibly has changed), and (b) attempting to set up a reasonable test environment looked painful. In particular, there was (at the time, again haven't checked recently) a lot of hand-waving about exactly to set up the RADIUS part, since MIT Kerberos just treats it as an oracle. I haven't checked if sssd supports FAST OTP. That seems much more likely given that they probably have enterprise use cases that would warrant implementing it. I'd be happy to take pull requests since I try to make pam-krb5 reasonably completionist as a hobby (although be aware that it's a purely hobby project at this point), but they would need to include changes to the ci directory to set up the KDC and RADIUS server appropriately so that the test suite could do a proper end-to-end integration test. -- Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos