My fasttrack sponsor has requested I wrap up this discussion. Currently
the only change to my original fasttrack proposal is the addition of the
passwd_fallback option to pam_krb5 in pam.conf. In the pam_krb5(5) man
page it is documented as:
passwd_fallback Causes pam_krb5 to return PAM_IGNORE if
it is doing PKINIT preauthentication and
it is desired to try password based
preauthentication if PKINIT fails. A
second instance of pam_krb5 must follow
pam_authtok_get if this option is used.
I have submitted the diff marked man page containing that information
earlier in this thread.
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
