I would like for the su command to NOT prompt the user for any password when the user has a kerberos ticket. That is su should not prompt for a kerberos or unix passwd. PAM is unable to determine if a terminal is encrypted and so the system should not inspire the user to cough up a password.

I simply added:

auth        sufficient  pam_ksu.so      no_warn

to the second line in the default /etc/pam.d/su config file. It worked, but I would not expect to be prompted for a password when I already have a ticket. (Secure single sign on is the whole point, right?)

What I desire is the behavior of the MIT ksu command. If the principal is listed in .k5login and has a valid ticket for the requesting principle, to be granted the shell as the new UID.

Near as I can tell, the heimdal ksu command that comes with FreeBSD has nothing to do with PAM. Is that true?

Don't assume that I understand PAM. I have been looking at this for all of a couple days. It seems dead simple. Maybe I just can't get the behavior I want.

Jason C. Wells
freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to