Hi Shawn (and opensolaris security community), What I'm about to mention is not related to the pam_krb5 bug we have been talking about but is a musing on the behavior of pam_krb5 in a different sense.
I'm starting to think that pam_krb5 doesn't correctly accept the user's password from pam_authtok_get.so.1 in the pam configuration. It almost seems like pam_krb5 asks for a password itself. I was playing around with dtlogin stuff, and noticed that even though I had a pam_authtok_get.so.1 item at the top of the dtlogin stack, it still asks me for a password IF my password fails the kerberos check. For example, here's my pam.conf section for dtlogin: dtlogin auth requisite pam_authtok_get.so.1 dtlogin auth required pam_unix_cred.so.1 dtlogin auth sufficient pam_unix_auth.so.1 dtlogin auth sufficient pam_krb5.so.1 dtlogin auth required pam_ldap.so.1 So it checks local account/password first, if nothing there, checks kerberos account/password, if nothing there, checks ldap account/password. Here's the thing. My users have kerberos AND LDAP accounts using the same username on both, but have DIFFERENT passwords. So if I try to log in as user "weiler" and enter my LDAP password, it goes down like this at the DTLOGIN screen: Please enter your username: weiler Please enter your password: xxxxxx (LDAP password, correctly entered) Enter Kerberos password for weiler: (why does it ask? Doesn't PAM automatically pass my previously entered password to pam_krb5? I just hit enter and it continues) Then it lets me in, I'm guessing using my LDAP password to authenticate me. If I enter my kerberos password when it first asks me (*Please enter your password) it let's me in with a kerberos auth with no further ado. I need to have pam_krb5 before pam_ldap in the PAM stack because if folks use their Kerberos passwords they need to be auth'd by pam_krb5 so they get a krb5 ticket (we use kerberized NFSv4 for secure home directories with some people). The fact that is asks "Enter Kerberos password for weiler" is odd because I thought pam_authtok_get.so.1 passes the password to pam_krb5, but it seems like if that fails the pam_krb5 module itself asks AGAIN for the password. The same PAM stack for sshd doesn't do this, maybe because SSH passes passwords differently. Weird. ciao, erich
