Subject: Re: login.conf for selecting password verification method (was Re: Kerberos is on by default?)
To: =?iso-8859-1?Q?Jarom=EDr_Dole=E8ek?= <>
From: Aidan Cully <>
List: tech-userlevel
Date: 07/01/2000 01:04:35
On Fri, Jun 30, 2000 at 08:26:59PM +0200, Jaromír Doleček wrote:
> Jason R Thorpe wrote:
> > I think in the short-term (i.e. in time for 1.5), we should change
> > Heimdal's behavior to match MIT's wrt. krb5_init_context().
> This would not help for passwd at least, if I parse the code correctly.

I think you may be parsing the code incorrectly...

		pw_modules[i].invalid |= (*pw_modules[i].pw_init)(__progname) ?
		    /* zero on success, non-zero on error */
		    INIT_INVALID : 0;
krb5_init(const char *progname)
    return krb5_init_context(&context);

If krb5_init_context returns anything but 0 (indicating success), the
'invalid' field will be set for that pw_module.  (Actually, it looks
like krb5_init_context will be called twice, in that module...  I'll
have to look it over, when I finish upgrading my local box.)

> > For post-1.5, we should investigate adding the mechanisms to login.conf,
> > possibly also supporting dynamically-loaded auth modules a'la PAM.
> Actually, the applications should probably be changed so that a
> failure to obtain krb context (failure of getting principal in
> krb5_parse_name(), or failure of krb5_get_init_creds_password())
> would not be treated as fatal error. This means that e.g.
> passwd's krb5_passwd.c:krb5_chpw() would return -1 instead of 1
> if either of those functions fails, so that the login in main() would
> try also other methods.

I don't know how useful the krb5_parse_name change would be, but it
probably should be made.  Once we've read the password, though, it
should definitely be a fatal error, IMO.  IOW, I disagree in the
case of krb5_get_init_creds_password().

> Does Heimdal return special error if a function fails due to
> krb server not running ?