Re: otp over radius preauthentication

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: otp over radius preauthentication

Greg Hudson
I took this off-list to avoid excessive noise.  Here is a summary of our
findings:

* Frederic was using a system verto package at version 0.2.4, which had
a bug in the libev implementation of verto_set_flags.  This was causing
the OTP plugin to be unable to see RADIUS replies.  Upgrading to verto
0.2.6 fixed the problem.  The bundled version of verto in the krb5
sources (0.2.5) is unaffected.

* There is a KDC crash bug when the principal's OTP config contains
invalid JSON.  I have submitted a fix, which will be in 1.12.2.  (This
isn't a security issue because principal OTP configuration is trusted
input.  It's a null pointer dereference only.)

* kadmin does not make it easy to set string attributes containing JSON
values because of quoting issues.  It would be good if we could address
this, but I don't have an idea at the moment.  For now you have to write
things like:

  setstr princname otp "[{""type"": ""yubikey""}]"

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev