Subject: Re: login.conf for selecting password verification method (was Re: Kerberos is on by default?)
To: None <firstname.lastname@example.org>
From: Johan Danielsson <email@example.com>
Date: 06/30/2000 13:05:37
Aidan Cully <firstname.lastname@example.org> writes:
> Under Heimdal, I don't see a case (except ENOMEM) where
> krb5_init_context will return error, and that's probably what's
> causing the behaviour people are seeing.
Right, you don't need a krb5.conf to use it.
> What I'd like to do is use the login.conf interface to select
> authentication mechanisms...
This is ok for login, but we really need something for other apps
too. Having telnet read login.conf doesn't strike me as very pretty.
> I'm not at the stage, yet, where I'll suggest adding hooks for
> external authenticators, but I'd like to know if BSDI can handle
> fallback authentication at the login.conf level... e.g., krb5 auth
> fails, try local with the same password. Or (and this is secondary)
> if it can support stuff like 'try krb5 and krb4, if either succeeds
> we're good'. Without having access to a BSDI system to experiment,
> I couldn't really follow their login.conf man page.
Is the BSDI thing much better than PAM? PAM isn't great but it exists,
and is almost a standard.