Brian Candler <[email protected]> writes: > As I understand it, pam_krb5 is basically a password checker; it uses > the password you supply to acquire a Kerberos ticket, and as a > side-effect lets you login if it was able to acquire one. That's the > "auth" functionality anyway. The "account" functionality is a bit more > subtle. According to the manpage: http://linux.die.net/man/8/pam_krb5
> "If the module did participate in authenticating the user, it will check > for an expired user password and verify the user's authorization using > the .k5login file of the user being authenticated, which is expected to > be accessible to the module." It had better be doing this in the auth action as well, since otherwise there are going to be vulnerabilities in practice. The account group isn't as consistently and properly used as it should be. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
