> The final spec and man page for the pam_krb5 pkinit project
> have been put into the case directory. If there are no
> further objections, this case should get approved at the meeting
> this week.
From message 60 of 17 Nov and not yet answered:
Gary..
======
>From pkinit-final:
"The pam_krb5 password module will change in that if PKINIT
authentication was done it will return PAM_IGNORE in the following
cases:
- the new passwd is NULL
- the old passwd is NULL
- verification of the old passwd fails.
If none of the above is true then pam_krb tries to change the password
and will return an error if that fails. The rational behind this is if
some PAM module causes pam_acct_mgmt() to return PAM_NEW_AUTHTOK_REQD
and/or the app subsequently calls pam_chauthtok(), pam_krb5 will change
a user's password. But this may well fail: the KDC may not want to
allow a PKINIT user to change/set a password since the user may be
expected to use PKINIT."
This information does not seem to be in the man page. How does the
administrator know it? Not being a pkinit expert, I'd like to understand
how the password stack will know if the user was authenticated by pkinit?
I feel TCR strong that the man page needs to be complete relative to this
part of the spec. I'm also concerned that pam_krb5 in the password stack
won't likely be called without PAM_AUTHTOK or PAM_OLDAUTHTOK set.
Which call to pam_sm_chauthtok() PAM_PRELIM_CHECK and/or PAM_UPDATE_AUTHTOK
will be making these checks?
