Subject: Re: login.conf for selecting password verification method (was Re: Kerberos is on by default?)
To: None <tech-userlevel@netbsd.org>
From: Jason R Thorpe <thorpej@zembu.com>
List: tech-userlevel
Date: 06/30/2000 07:55:38
On Fri, Jun 30, 2000 at 02:55:48AM -0400, Aidan Cully wrote:
> FWIW, the assumption I made with k5 integration on passwd and login
> (which was valid for the MIT code) was that the existance of a krb5.conf
> was the way to enable/disable krb5. krb5_init_context() would return an
> error code when that file didn't exist, so I checked its return value as
> an indication of if or not to use kerberos. Under Heimdal, I don't see
> a case (except ENOMEM) where krb5_init_context will return error, and
> that's probably what's causing the behaviour people are seeing.
>
> I'm not convinced that it would be a good idea to change Heimdal's
> behaviour when the krb5.conf file doesn't exist to match MIT's (at
> least, the MIT version I'm familiar with). What I'd like to do is use
I think in the short-term (i.e. in time for 1.5), we should change
Heimdal's behavior to match MIT's wrt. krb5_init_context().
For post-1.5, we should investigate adding the mechanisms to login.conf,
possibly also supporting dynamically-loaded auth modules a'la PAM.
--
-- Jason R. Thorpe <thorpej@zembu.com>