> I think this is
> sufficient for now and it doesn't preclude adding module options or a
> krb5.conf stanza (or even user_attr(4) name=value pairs) to control this
> in the future.
Hopefully pam_eval will be a longer term way of doing this.
> I'm happy with the latest spec that has been proposed.
I asked for through today at the meeting. Here's my summary:
1 I'm still uncomfortable with stacking pam_krb5 multiple
times within the same stack type. IMO, it will lead
to more confusion than the cost of generating a new
module. I'll "hold my nose[tm]" here and hope the project
team doesn't get customer calls.
2 I'm uncomfortable about keying off of an empty PAM_AUTHTOK
to mean do PKINIT. See above.
3 In the case of stacking two pam_krb5(5) modules such that
the first will pass through to pam_authtok_get(5), I'm unclear
from the pam_sm_authenticate() spec what pam_authtok_get will
do. Please specify what PAM items are set by the first
instance so the admin knows what they will get from
pam_authtok_get. I suspect there are two cases here:
* PKINIT is not done, or fails;
* PKINIT succeeds.
4 I'm still concerned that pam_sm_acct_mgmt() isn't applied
when PKINIT is done. Viz with the diff marks removed.
Kerberos V5 Account Management Module
The Kerberos account management component provides a
function to perform account management, pam_sm_acct_mgmt().
This function checks to see if the pam_krb5 authentication
module has noted that the user's password has not expired.
This does not apply if the module is using PKINIT
preauthentication. The following options may be passed in
to the Kerberos V5 account management module:
Does pam_sm_authenticate() fail? What the outcome of not
applying account management? Does it mean accounts cannot be
expired if PKINIT is used?
5 I'm still concerned that pam_sm_chauthtok() isn't applied
when PKINIT is done. Viz with diff marks removed.
Kerberos V5 Password Management Module
The Kerberos V5 password management component provides a
function to change passwords, pam_sm_chauthtok(), in the
Key Distribution Center (KDC) database. This does not
apply if the module is using PKINIT preauthentication.
The following flags may be passed to pam_sm_chauthtok(3PAM):
What does this mean to the example PAM password stack and kpasswd?
6 Nit, this project has a Minor release binding. Therefore
it makes no sense to describe things in terms of dtlogin.
7 Has the project team coordianted with SunRay (SRSS) team
(as the primary implementor of smartcards)? Has the project
team coordinated with the TX team and how this may work/affect
the multi-level desktop?
Bottom line, IMO, 3, 4 and 5 need to be addressed in the spec. If they
have been, please point me to where? I'll "hold my nose[tm]" relative
to 1 and 2.
Thanks for the extra time,
Gary..
