Russ Allbery <[email protected]> writes:

> Yair Yarom <[email protected]> writes:
>
>> Some preauth plugins have their own password prompts, and with pam_krb5
>> always asking for password, the result is two password prompts (when the
>> first might be ignored, as the preauth can replace the key).
>
>> I suggest a no_password option to solve this issue. Attached is a patch
>> that does it.
>
> The standard PAM way to do this is to use either the try_first_pass or
> use_first_pass options (see the man page) depending on what fallback
> behavior you want if no password is already stored in the PAM stack.  Have
> you tried this already?  If so, what about those options doesn't
> accomplish what you need?

try_first_pass and use_first_pass won't work. The password never gets
through the PAM mechanism but rather through the kerberos preauth
plugin. It is somewhat similar to the pkinit. With pkinit there might be
no password involved at all, and pkinit manages the authentication and
not PAM (and indeed, the code skips the password prompt if there is
pkinit but in the end still calls krb5_get_init_creds_password).

This option is for any general preauth plugin that manages the
authentication by itself (with passwords or other means), so that there
won't be a special case for each such plugin. 

Thanks for your quick reply, 
    Yair.



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to