Jeffrey Hutzelman wrote: > > > On Monday, April 02, 2007 10:33:31 AM +0100 Darren J Moffat > <Darren.Moffat at Sun.COM> wrote: > >> Shawn M Emery wrote: >>> The stack configuration is for authentication and attempts to add a >>> pam_krb5 entry with a sufficient control flag after pam_unix_cred. For >>> example, sshd-kbdint would look like: >>> >>> sshd-kbdint auth requisite pam_authtok_get.so.1 >>> sshd-kbdint auth required pam_dhkeys.so.1 >>> sshd-kbdint auth required pam_unix_cred.so.1 >>> sshd-kbdint auth sufficient pam_krb5.so.1 >>> sshd-kbdint auth required pam_unix_auth.so.1 >>> >> >> Why sufficient rather than binding ? > > Because binding would prevent me from logging in using only a local > password?
IIRC pam_krb5.so.1 will return PAM_IGNORE for users that have no Kerberos principal right ? If so, assuming the local password is different and you have a Kerberos principal and failed the authentication for that. Then yes binding would cause that the stack to fail in that case. -- Darren J Moffat
