Subject: Re: login.conf for selecting password verification method (was Re: Kerberos is on by default?)
To: None <>
From: Johan Danielsson <>
List: tech-userlevel
Date: 06/30/2000 13:05:37
Aidan Cully <> writes:

> Under Heimdal, I don't see a case (except ENOMEM) where
> krb5_init_context will return error, and that's probably what's
> causing the behaviour people are seeing.

Right, you don't need a krb5.conf to use it.

> What I'd like to do is use the login.conf interface to select
> authentication mechanisms...

This is ok for login, but we really need something for other apps
too. Having telnet read login.conf doesn't strike me as very pretty.

> I'm not at the stage, yet, where I'll suggest adding hooks for
> external authenticators, but I'd like to know if BSDI can handle
> fallback authentication at the login.conf level...  e.g., krb5 auth
> fails, try local with the same password.  Or (and this is secondary)
> if it can support stuff like 'try krb5 and krb4, if either succeeds
> we're good'.  Without having access to a BSDI system to experiment,
> I couldn't really follow their login.conf man page.

Is the BSDI thing much better than PAM? PAM isn't great but it exists,
and is almost a standard.