On Mon, Nov 09, 2009 at 12:11:58PM +0100, Joerg Barfurth wrote: > Douglas E. Engert schrieb: > > >>>>> Note that if pam_krb is stacked below pam_authtok_get it would function > >>>>> as it currently does which is to get the user's Kerberos credential > >>>>> using their long term Kerberos password. > >>>> That seems reasonable. > >>>> > > FWIW I feel uncomfortable with the idea that presence or absence of a > PAM_AUTHTOK will change the behavior of pam_krb5 substantially. So I'd > prefer a 'preauth' or 'pkinit' option here.
That still doesn't change the fact that pam_krb5 would need to be stacked above pam_authtok_get to avoid a potentially unnecessary password prompt. See my other e-mail regarding pam_krb5 and auth stack ordering for my other points in regards to administration. > >>>> I want to see an updated pam_krb5(5) man page explaining how to use > >>>> PKINIT and including the example PAM stacks for use of PKINIT. > >>> I'll work on that and send it as a reply. > >> > >> While working out the various permutations of PAM auth stacks I've > >> discovered that my fasttrack was not complete in regards to new > >> interfaces. In order for the fall back to work properly from PKINIT to > >> password based preauth, pam_krb5 will need a user configurable option to > >> tell the first instance of pam_krb5 (doing PKINIT preauth) whether there > >> will be a second instance of pam_krb5 stacked below pam_authtok_get that > >> will try password preauth if PKINIT preauth fails. The idea is that if > >> the first instance of pam_krb5 (PKINIT) fails it will return PAM_IGNORE > >> if the fall back option is set to true (it would be false by default). > >> Otherwise the first instance of pam_krb5 (PKINIT) would return failure. > >> > > To me that sounds like something that should not require a module option. > Stack flow is controlled by the control flag part of the pam.conf entry. > > So if preauth failure is not fatal, it should simply be configured as > 'optional' or 'sufficient'. I discussed your point with my colleague Nico Williams and we agree that tha passwd_fallback option is unnecessary to implement fall back to password based krb preauth. Either sufficient or optional control flags can provide equivalent auth stack evaluations. I will amend my wrap up e-mail I sent earlier to withdraw the pam_fallback option. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ Sent from mutt, a sweet ASCII MUA
