I would like for the su command to NOT prompt the user for any password
when the user has a kerberos ticket. That is su should not prompt for a
kerberos or unix passwd. PAM is unable to determine if a terminal is
encrypted and so the system should not inspire the user to cough up a
password.
I simply added:
auth sufficient pam_ksu.so no_warn
to the second line in the default /etc/pam.d/su config file. It worked,
but I would not expect to be prompted for a password when I already have
a ticket. (Secure single sign on is the whole point, right?)
What I desire is the behavior of the MIT ksu command. If the principal
is listed in .k5login and has a valid ticket for the requesting
principle, to be granted the shell as the new UID.
Near as I can tell, the heimdal ksu command that comes with FreeBSD has
nothing to do with PAM. Is that true?
Don't assume that I understand PAM. I have been looking at this for all
of a couple days. It seems dead simple. Maybe I just can't get the
behavior I want.
Thanks,
Jason C. Wells
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"