Aidan Cully <aidan@kublai.com> writes:

> Under Heimdal, I don't see a case (except ENOMEM) where
> krb5_init_context will return error, and that's probably what's
> causing the behaviour people are seeing.

Right, you don't need a krb5.conf to use it.

> What I'd like to do is use the login.conf interface to select
> authentication mechanisms...

This is ok for login, but we really need something for other apps
too. Having telnet read login.conf doesn't strike me as very pretty.

> I'm not at the stage, yet, where I'll suggest adding hooks for
> external authenticators, but I'd like to know if BSDI can handle
> fallback authentication at the login.conf level...  e.g., krb5 auth
> fails, try local with the same password.  Or (and this is secondary)
> if it can support stuff like 'try krb5 and krb4, if either succeeds
> we're good'.  Without having access to a BSDI system to experiment,
> I couldn't really follow their login.conf man page.

Is the BSDI thing much better than PAM? PAM isn't great but it exists,
and is almost a standard.

/Johan