On Tue, Dec 24, 2013 at 06:34:24AM -0500, Alexander Bokovoy wrote: > Hi! > > FAST auth is broken for OTP case at least for FreeIPA because krb5_child > returns an empty SSS_OTP message as the last one in the buffer. This message > never got processed by the krb5_child_handler due to the fact that message > size (8 bytes) was triggering the check for buffer length and prematurely > claiming that the whole buffer is malformed. > > Fixes https://fedorahosted.org/sssd/ticket/2186 and now I have working ssh > logons > with two-factor authentication using native FreeIPA OTP implementation and > FreeOTP Android app. > > Additionally this patch makes clear how ccache name is passed. It avoids > looking into anything > but SSS_PAM_ENV_ITEM message. > > -- > / Alexander Bokovoy
My IPA server's OTP integration is broken at the moment (even outside SSSD) so I wasn't able to test the OTP support per se, but I trust Alexander's testing. However, this patch looks good to me and all the usual krb5_child operations (auth, chpass) still work fine. ACK _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
