Yair Yarom <[email protected]> writes:
> Russ Allbery <[email protected]> writes:
>> Yair Yarom <[email protected]> writes:

>>> Some preauth plugins have their own password prompts, and with
>>> pam_krb5 always asking for password, the result is two password
>>> prompts (when the first might be ignored, as the preauth can replace
>>> the key).

>>> I suggest a no_password option to solve this issue. Attached is a
>>> patch that does it.

>> The standard PAM way to do this is to use either the try_first_pass or
>> use_first_pass options (see the man page) depending on what fallback
>> behavior you want if no password is already stored in the PAM stack.
>> Have you tried this already?  If so, what about those options doesn't
>> accomplish what you need?

> try_first_pass and use_first_pass won't work. The password never gets
> through the PAM mechanism but rather through the kerberos preauth
> plugin.

Oh, the *preauth* prompt, which is of course handled by the Kerberos
library prompting mechanism and displayed that way.  Sorry, I clearly read
your message too quickly.  Yes, your patch makes sense with that context
and I'll look at incorporating it into the module.

-- 
Russ Allbery ([email protected])               <http://www.eyrie.org/~eagle/>



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to