Yair Yarom <[email protected]> writes: > Russ Allbery <[email protected]> writes: >> Yair Yarom <[email protected]> writes:
>>> Some preauth plugins have their own password prompts, and with >>> pam_krb5 always asking for password, the result is two password >>> prompts (when the first might be ignored, as the preauth can replace >>> the key). >>> I suggest a no_password option to solve this issue. Attached is a >>> patch that does it. >> The standard PAM way to do this is to use either the try_first_pass or >> use_first_pass options (see the man page) depending on what fallback >> behavior you want if no password is already stored in the PAM stack. >> Have you tried this already? If so, what about those options doesn't >> accomplish what you need? > try_first_pass and use_first_pass won't work. The password never gets > through the PAM mechanism but rather through the kerberos preauth > plugin. Oh, the *preauth* prompt, which is of course handled by the Kerberos library prompting mechanism and displayed that way. Sorry, I clearly read your message too quickly. Yes, your patch makes sense with that context and I'll look at incorporating it into the module. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

