On Mon, Nov 09, 2009 at 04:29:06PM -0600, Nicolas Williams wrote: > On Mon, Nov 09, 2009 at 02:20:45PM -0800, Gary Winiger wrote: > > > > > I want to see an updated pam_krb5(5) man page explaining how to use > > > > > PKINIT > > > > > and including the example PAM stacks for use of PKINIT. > > > > If I understand the project correctly: > > I don't think that's quite correct. > > > * The project wants to do different prompting than pam_authtok_get(5). > > > > * The project proposes to keying off of the contents of PAM_AUTHTOK > > Yes. > > > * The project proposes adding new configuration options. > > Not really. Maybe. But only in response to requests from others.
I'm proposing adding a passwd_fallback option to pam_krb5 to properly handle a auth stack where the admin wants to try PKINIT and if that fails, have it return pam_ignore and have the second instance of pam_krb5 following pam_authtok_get try password preauth but only if PKINIT failed. If passwd_fallback is not set on the first instance then pam_krb5 would return failure if PKINIT failed. > > * The project proposes to bypass account management and password > > change. > > No. Only the auth stack is affected. Nothing about account management > nore password changing changes. Correct. > (If the top instance of pam_krb5 returns PAM_SUCCESS and it was binding > or sufficient then password-based authentication will be skipped. This > does not mean that password expiration will not be handled.) If pam_krb5 is only doing PKINIT the KDC should not be indicating password expired thus that part of pam_krb5 should not come into play for PKINIT. For password based preauth nothing has changed here. > > * The project proposes changes the the PAM stack. > > Yes. > > > Why should it be that account management and password change are > > disallowed? > > Will and I have talked plenty about this, and though I'll admit to not > having read the case materials closely (probably because I felt I was > familiar enough with it given our conversations), I don't recall ever, > ever talking about changes to the account management nor password change > side of PAM or even just pam_krb5. > For auth and setcred, the second instance of the module will return > PAM_IGNORE if the first instance returned PAM_SUCCESS (at least as of > Friday, right Will?). That is correct. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ Sent from mutt, a sweet ASCII MUA
