password expiry for a principal
Russ Allbery
rra at stanford.edu
Sat Jan 19 15:28:55 EST 2008
"Markus Moeller" <huaraz at moeller.plus.com> writes:
> I did some work with Russ' module on OpenSolaris and Solaris 10 release
> 4 (which has Kerberos headers and libraries). I noted a small issue
> (crash of pam_krb5 when calling pam_setcred in cache_init_from_cache
> since for some reason the pointer to the old cache is NULL). There
> seems to be also a problem with retrieving the old token as the module
> will ask again for the current password ( although this is related to
> using Suns pam_authtok_get.so.1 to retrieve tokens/passwords)
Hm, I'm going to need more information in both cases to be able to track
this down. At least, the debug logging output is needed. Having a
pre-existing context without having a valid cache in that context is
something that shouldn't happen; pam_authenticate clears the context from
the PAM environment if it was unable to create a ticket cache.
Similarly, with obtaining the old authentication tokens, that code is very
straightforward and I don't know why that would fail. I need more
information on exactly what the return status for pam_get_item would be.
If you enable use_authtok instead of use_first_pass, you should get an
error message and an abort in the PAM stack if pam-krb5 can't retrieve the
authentication token.
Thank you for looking at this! I'd love to get it to work.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list