pam-krb5 4.5 released

Russ Allbery rra at stanford.edu
Fri Feb 10 15:38:19 EST 2012


Stephen Frost <sfrost at snowman.net> writes:

>   Regarding securID support- that all seems to be working just fine from
>   kinit and through ssh/pam-krb5 (with ChallengeResponse and PAM
>   enabled, of course).  However, as you might expect, both pam-krb5 (as
>   tested with OpenSSH) and kinit prompt for the principal's 'normal'
>   password before prompting for the token code (and it cares- it won't
>   work if you don't provide the correct PW).

Yes, I have a pending patch to allow you to disable all password prompting
behavior in the module because you're using some other mechanism than
password and want the Kerberos prompter to just take care of it all.  I'm
going to try to get out a new release with that change this month.  There
currently isn't a way to avoid that password prompt, unfortunately.

If you want to try the patch in advance of a new release, the contributed
patch to add this option is at:

    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626506

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list