Subject: Re: login.conf for selecting password verification method (was Re: Kerberos is on by default?)
To: None <>
From: Jason R Thorpe <>
List: tech-userlevel
Date: 06/30/2000 07:55:38
On Fri, Jun 30, 2000 at 02:55:48AM -0400, Aidan Cully wrote:

 > FWIW, the assumption I made with k5 integration on passwd and login
 > (which was valid for the MIT code) was that the existance of a krb5.conf
 > was the way to enable/disable krb5.  krb5_init_context() would return an
 > error code when that file didn't exist, so I checked its return value as
 > an indication of if or not to use kerberos.  Under Heimdal, I don't see
 > a case (except ENOMEM) where krb5_init_context will return error, and
 > that's probably what's causing the behaviour people are seeing.
 > I'm not convinced that it would be a good idea to change Heimdal's
 > behaviour when the krb5.conf file doesn't exist to match MIT's (at
 > least, the MIT version I'm familiar with).  What I'd like to do is use

I think in the short-term (i.e. in time for 1.5), we should change
Heimdal's behavior to match MIT's wrt. krb5_init_context().

For post-1.5, we should investigate adding the mechanisms to login.conf,
possibly also supporting dynamically-loaded auth modules a'la PAM.

        -- Jason R. Thorpe <>