On Mon, Jun 22, 2015 at 11:06:36PM +0200, Antoine Jacoutot wrote: > On Mon, Jun 22, 2015 at 09:09:01AM +0100, Stuart Henderson wrote:
> > IIRC it is correct that "non-system" methods have a - prefix. > > How is your login class set? I haven't used krb5, but I *think* it should > > look like this, > > :auth=-krb5-or-pwd: > Correct, this is all explained in login.conf(5): > Local authentication styles may be added by creating a login script for > the style (see below). To prevent collisions with future official BSD > Authentication style names, all local style names should start with a > dash (-). Current plans are for all official BSD Authentication style > names to begin with a lower case alphabetic character. For example, if > you have a new style you refer to as slick then you should create an > authentication script named /usr/libexec/auth/login_-slick using the > style name -slick. When logging in via the login(1) program, the syntax > user:-slick would be used. I had wondered if I was missing something. Would it be good to note the difference in the manpages? The manpage talks only about it being login_krb5. Between that and my historical usage when it was in base, I just put it in without the dash. --Kurt
