>This is kind of funny, as chkpw should use all calls citserver will >use, right? or did we forget to put some into chkpw? I don't know much about Kerberos. Isn't it supposed to do some sort of three-way handshake that eliminates the need for the user to type a password? Straight PAM authentication probably wouldn't be capable of doing that? There is a very specific reason why I called that new config variable "auth mode" -- it implies that there could end up being several different authentication modes, not simply "host auth on/off". In particular, as part of BossRoss's project, I may end up implementing an auth mode that speaks LDAP directly instead of using pam_ldap as a shim.