On Mon, Nov 09, 2009 at 02:20:45PM -0800, Gary Winiger wrote: > > > > I want to see an updated pam_krb5(5) man page explaining how to use > > > > PKINIT > > > > and including the example PAM stacks for use of PKINIT. > > If I understand the project correctly:
I don't think that's quite correct. > * The project wants to do different prompting than pam_authtok_get(5). > > * The project proposes to keying off of the contents of PAM_AUTHTOK Yes. > * The project proposes adding new configuration options. Not really. Maybe. But only in response to requests from others. > * The project proposes to bypass account management and password > change. No. Only the auth stack is affected. Nothing about account management nore password changing changes. (If the top instance of pam_krb5 returns PAM_SUCCESS and it was binding or sufficient then password-based authentication will be skipped. This does not mean that password expiration will not be handled.) > * The project proposes changes the the PAM stack. Yes. > Why should it be that account management and password change are > disallowed? Will and I have talked plenty about this, and though I'll admit to not having read the case materials closely (probably because I felt I was familiar enough with it given our conversations), I don't recall ever, ever talking about changes to the account management nor password change side of PAM or even just pam_krb5. For auth and setcred, the second instance of the module will return PAM_IGNORE if the first instance returned PAM_SUCCESS (at least as of Friday, right Will?). Nico --
