Hi

Switching su to PAM kills the -K option. We have 3 choices:

1) Nobody cares about su -K, let it die.

2) Modify the PAM API so that su has an opportunity to tell the PAM
kerberos module that it does not want kerberos authentication. It would
be done by adding a PAM_NOKERBEROS attribute. That's somewhat ugly
because it adds an attribute only for su -K.

3) When -K is used, su would name itself as the "su-nokerberos" service
instead of "su" when starting PAM. We'd ship the system with two PAM
config files for su: plain "su" with kerberos authentication, and
"su-nokerberos" without Kebreros authentication. The administrator can
disable su -K by modifying su-nokerberos.=20

My preference goes to #3 because it maintains full backward
compatibility at the expense of a single line in su code, and without
touching the PAM API. Of course if nobody ever uses su -K, then #1 is
the way to go, but we need to know if nobody really uses su -K.=20

Anyone uses su -K?

--=20
Emmanuel Dreyfus
Un bouquin en fran=E7ais sur BSD:
http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php
manu@netbsd.org