Subject: Re: login.conf for selecting password verification method (was Re: Kerberos
To: None <email@example.com>
From: Jaromír Doleček <firstname.lastname@example.org>
Date: 06/30/2000 20:26:59
Jason R Thorpe wrote:
> I think in the short-term (i.e. in time for 1.5), we should change
> Heimdal's behavior to match MIT's wrt. krb5_init_context().
This would not help for passwd at least, if I parse the code correctly.
> For post-1.5, we should investigate adding the mechanisms to login.conf,
> possibly also supporting dynamically-loaded auth modules a'la PAM.
Actually, the applications should probably be changed so that a
failure to obtain krb context (failure of getting principal in
krb5_parse_name(), or failure of krb5_get_init_creds_password())
would not be treated as fatal error. This means that e.g.
passwd's krb5_passwd.c:krb5_chpw() would return -1 instead of 1
if either of those functions fails, so that the login in main() would
try also other methods.
Does Heimdal return special error if a function fails due to
krb server not running ?
Reminds me ... is there any krb4_passwd.c ? The krb4_chpw() and
friends seem to be referenced in passwd.c ifdef KERBEROS, but
there is no such function in the passwd's sources.
Jaromir Dolecek <jdolecek@NetBSD.org> http://www.ics.muni.cz/~dolecek/
@@@@ Wanna a real operating system ? Go and get NetBSD, damn! @@@@