Harald Dunkel <[email protected]> writes:
> I changed krb5.conf accordingly:
> :
> :
> [auth]
> expose_account = true
> [password]
> expose_account = true
You want:
[appdefaults]
pam = {
expose_account = true
}
The krb5.conf file doesn't know anything about PAM groups. Apologies for
that not being very clear. :/
> But this did not help. I still get
> # passwd jupp
> Current Kerberos password:
> Please note that the prompt is not "Password:".
Right, it's Password: for the authentication prompt and the above for the
password prompt.
> I am pretty sure that Kerberos doesn't have to fall back on "security
> through obscurity".
The overriding reason why the principal isn't included in the
authentication prompt by default is that it breaks various ssh clients
when used in combination with ChallengeResponseAuthentication (which is
the default in ssh). The point about not exposing principal and realm
information is secondary, although I know there are people who feel
strongly about it in the name of defense in depth.
I could include it in the password prompt by default, I suppose, although
then it gets a bit awkward for people to configure that behavior when the
expose_account option has different defaults for the different stacks
(particularly since there's no way to turn off a boolean in the PAM
configuration, only via krb5.conf).
--
Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
