Gary Winiger wrote:
> Darren,
>
>> That is exactly what it going on.
>>
>> Are you asking for pam_krb5 to only try once with the value of
>> PAM_AUTHTOK and not to ever prompt you again if that doesn't work ?
>> I think we could add a module option for that. The behaviour anoys
>> me as well :-)
>> Please log a bug for this on http://bugs.opensolaris.org if that is
>> what you are asking for.
>
> I'm not sure what you're suggesting. Perhaps I should go back
> and reread the entire sequence, so if I'm off base, just shoot
> the piano player.
>
> No PAM service module should be asking for a username or password.
> That was EOLed when pam_authtok_get(5) was introduced.
> Unfortunately, pam_ldap(5) and pam_krb5(5) implementations didn't
> seem to implement things the same as pam_unix_auth(5).
I wouldn't say it as strong as EOL more unnecessary for them to do it on
their own since pam_authtok_get exists now an performs that function.
> I thought we had the spec right for pam_krb5 a couple years ago,
> perhaps not since I recall code reviewing for Shawn to delete all
> the use/try code vestages that remained. IIRC, Shawn was concerned
> about customer calls if he fixed the code either of the ways discussed
> as a bug fix. I'll leave Shawn correct my recollection ;_)
All the {use,try}_first_pass stuff has gone from pam_krb5 and pam_ldap.
It isn't that uncommon for people to have a different Kerberos and LDAP
password in the UNIX world. It is uncommon when Microsoft Active
Directory is deployed because it has them be the same.
> My summary: No current service module prompts for a username or
> password other than pam_authok_get(5) (and in the special case of
> password change pam_passwd_auth(5)).
While that was certainly the goal for the Solaris modules pam_krb5's
hardcoded behaviour is equivalent to what you used to get with
try_first_pass. I know we discussed this and I'm pretty sure it is
documented why in the PSARC cases that approved the changes; I'll need
to look it up though.
See the code here:
http://cvs.opensolaris.org/source/xref/on/usr/src/lib/pam_modules/krb5/krb5_authenticate.c#278
--
Darren J Moffat
