From 6c754ce5ef953dbaa8d4bc74bd4b19902e62a1d2 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 11 Dec 2025 11:03:17 +0100 Subject: [PATCH 1/2] krb5: fix OTP authentication Resolves: https://github.com/SSSD/sssd/issues/8292 Reviewed-by: Justin Stephenson --- src/providers/krb5/krb5_child.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 1b5db5c97e..daf00b0dab 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -577,6 +577,8 @@ static krb5_error_code request_otp(krb5_context ctx, goto done; } + kr->otp = true; + for (i = 0; chl->tokeninfo[i] != NULL; i++) { DEBUG(SSSDBG_TRACE_ALL, "[%zu] Vendor [%s].\n", i, chl->tokeninfo[i]->vendor); @@ -600,12 +602,9 @@ static krb5_error_code request_otp(krb5_context ctx, /* Allocation errors are ignored on purpose */ DEBUG(SSSDBG_TRACE_ALL, "Setting otp prompting.\n"); - if (kr->otp) { - kerr = k5c_attach_otp_info_msg(kr); - if (kerr != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Failed to add otp prompting data.\n"); - } + kerr = k5c_attach_otp_info_msg(kr); + if (kerr != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add otp prompting data.\n"); } done: From 11fcc28d936b1250b784fcbe9d4515acf2ad855f Mon Sep 17 00:00:00 2001 From: Iker Pedrosa Date: Thu, 11 Dec 2025 12:25:00 +0100 Subject: [PATCH 2/2] krb5_child: fix OTP authentication for PAM stacked tokens The `tokeninfo_matches()` function already handles PAM stacked tokens correctly by processing them through the 2FA single path, so the `answer_otp()` function should allow this token type to proceed. Add SSS_AUTHTOK_TYPE_PAM_STACKED to the allowed authentication token types in `answer_otp()` to restore previous functionality. Fixes: 4cb99a248 ("krb5_child: advertise authentication methods"). Signed-off-by: Iker Pedrosa Reviewed-by: Justin Stephenson --- src/providers/krb5/krb5_child.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index daf00b0dab..05c73455c1 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -624,7 +624,8 @@ static krb5_error_code answer_otp(krb5_context ctx, type = sss_authtok_get_type(kr->pd->authtok); if (type != SSS_AUTHTOK_TYPE_2FA_SINGLE - && type != SSS_AUTHTOK_TYPE_2FA) { + && type != SSS_AUTHTOK_TYPE_2FA + && type != SSS_AUTHTOK_TYPE_PAM_STACKED) { DEBUG(SSSDBG_MINOR_FAILURE, "Unexpected authentication token type [%s]\n", sss_authtok_type_to_str(type)); return ERR_CHECK_NEXT_AUTH_TYPE;