Subject: Re: login.conf for selecting password verification method
To: Johan Danielsson <>
From: Aidan Cully <>
List: tech-net
Date: 06/30/2000 22:47:42
On Fri, Jun 30, 2000 at 01:05:37PM +0200, Johan Danielsson wrote:
> Aidan Cully <> writes:
> > What I'd like to do is use the login.conf interface to select
> > authentication mechanisms...
> This is ok for login, but we really need something for other apps
> too. Having telnet read login.conf doesn't strike me as very pretty.

Telnet is a non-issue, here...  telnetd can figure out if it can
support krb5 by checking the results of krb5_kt_default(), possibly,
and telnet can check for the existance of a krb5 ccache, at least.
But getting initial credentials, and changing the password don't
seem to require much infrastructure in Heimdal...  (a quick glance
makes it look like it can get everything it needs using DNS, and no
local configuration, which isn't necessarily desirable.)  I think
login.conf is a pretty good place to configure password validation/
maintenance, which is the only problem I'm trying to solve.

> > I'm not at the stage, yet, where I'll suggest adding hooks for
> > external authenticators, but I'd like to know if BSDI can handle
> > fallback authentication at the login.conf level...  e.g., krb5 auth
> > fails, try local with the same password.  Or (and this is secondary)
> > if it can support stuff like 'try krb5 and krb4, if either succeeds
> > we're good'.  Without having access to a BSDI system to experiment,
> > I couldn't really follow their login.conf man page.
> Is the BSDI thing much better than PAM? PAM isn't great but it exists,
> and is almost a standard.

I suggested BSDI because we got login.conf from them, no other
reason.  I was trying to avoid starting this argument, but I guess
it can be a kind of loaded topic...