On Mon, Dec 14, 2009 at 02:52:51PM -0800, Gary Winiger wrote: > > The final spec and man page for the pam_krb5 pkinit project > > have been put into the case directory. If there are no > > further objections, this case should get approved at the meeting > > this week. > > From message 60 of 17 Nov and not yet answered: > > Gary.. > ====== > >From pkinit-final: > > "The pam_krb5 password module will change in that if PKINIT > authentication was done it will return PAM_IGNORE in the following > cases: > > - the new passwd is NULL > - the old passwd is NULL > - verification of the old passwd fails. > > If none of the above is true then pam_krb tries to change the password > and will return an error if that fails. The rational behind this is if > some PAM module causes pam_acct_mgmt() to return PAM_NEW_AUTHTOK_REQD > and/or the app subsequently calls pam_chauthtok(), pam_krb5 will change > a user's password. But this may well fail: the KDC may not want to > allow a PKINIT user to change/set a password since the user may be > expected to use PKINIT." > > This information does not seem to be in the man page. How does the > administrator know it?
I will update the man page to include this. > Not being a pkinit expert, I'd like to understand how the password > stack will know if the user was authenticated by pkinit? A field in the krb module data struct will indicate this. > I feel TCR strong that the man page needs to be complete relative to this > part of the spec. I'm also concerned that pam_krb5 in the password stack > won't likely be called without PAM_AUTHTOK or PAM_OLDAUTHTOK set. I am not changing the conditions under which pam_krb5 pam_sm_chauthtok() is being called, only it's behavior if pam_krb5 did PKINIT using a PIN (not the PAM_AUTHTOK password) in the auth stack. > Which call to pam_sm_chauthtok() PAM_PRELIM_CHECK and/or PAM_UPDATE_AUTHTOK > will be making these checks? The checks are made if the PAM_UPDATE_AUTHTOK flag is set. The project is not changing the behavior of pam_sm_chauthtok() if the PAM_PRELIM_CHECK flag is set which is to return PAM_IGNORE. -- Will Fiveash Sun Microsystems Office x64079/512-401-1079 Austin, TX, 78727 (TZ=CST6CDT), USA Internal Solaris Kerberos/GSS/SASL website: http://kerberos.sfbay.sun.com http://opensolaris.org/os/project/kerberos/
