John Darrington <j...@darrington.wattle.id.au> skribis: > On Thu, Oct 27, 2016 at 02:51:02PM +0200, Ludovic Court??s wrote: > > > > On its own it does nothing. It makes more sense in context with the > other patch I sent. > > With this option in place, one can extend the unix-pam-service with > another pam service > > (such as krb5-pam), and if the krb5 authentication fails (for example > because I am not > > at work) then the password I gave will be presented to the regular > pam_unix login. > > I won't be prompted for it again. > > In that case, instead of hardcoding ???use_first_pass??? here, would it > be > possible for the pam-krb5 service to extend ???pam-root-service-type??? > with > a procedure that automatically adds ???use_first_pass??? where needed? > > > I will look into it. But almost any other pam module will want to do > the same
Yes, and what I suggest will allow you to do that. > - at least > any other which uses passphrase based authentication. So I thought why put > the onus on > every other module to do this? It’s not entirely clear that ‘use_first_pass’ is generally desirable, Kerberos aside. So I think it makes more sense to add it as part of the Kerberos service, with an explanation of why it’s important in this context. Ludo’.
