On 5/10/22 11:47, BuzzSaw Code wrote: > I'm trying to understand if the behavior I'm seeing is by design or a bug. [...] > It seems like the original credentials that were passed in, which is the > valid OTP "pin+password", are tossed by the krb5 library routines once the > KDC responds asking for preauth and the anonymous FAST conversation is done > no matter what.
This is by design. The basic Kerberos protocol does not reveal the password to the KDC, but FAST OTP does reveal the OTP value (encrypted within the FAST channel). So for libkrb5 to transparently send the password to the KDC when the KDC asks for FAST OTP would have security implications. pam_krb5 could work around this decision via its prompter callback, and that might be reasonable to implement as an option. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos