Wyllys Ingersoll wrote: >>> I will make another pitch at this, put pam_authtok_get first, and if >>> the password entered is "PKI", "PKINIT", "smart card" or some other >>> key phrase (blank?), then pam_krb5 will try PKINIT. You only need one >>> pam_krb5 on the stack too, and if the pam_authtok_get changes, you >>> don't have to change pam_krb5. >> What if there is another required module below pam_krb5 that requires a >> password?
Well with traditional pam if that password did not work the module would prompt again. I would expect that if pam_krb5 found one of the above, it would set PAM_AUTHTOK to null, and let a lower level pam module prompt for its password. >> >> > > I really strongly dislike the idea of having a special password that causes > it to behave differently. It just smells like a bad hack. Yes, it is a hack, based on the current pam limitations of only prompting for user and password. A more flexible pam architecture could prompt for type of authentication the user wants to try. > > -Wyllys > > -- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
