[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 2/3] gnu: pam_unix.so Add use_first_pass option.
From: |
Ludovic Courtès |
Subject: |
Re: [PATCH 2/3] gnu: pam_unix.so Add use_first_pass option. |
Date: |
Fri, 28 Oct 2016 14:48:20 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
John Darrington <address@hidden> skribis:
> On Thu, Oct 27, 2016 at 02:51:02PM +0200, Ludovic Court??s wrote:
> >
> > On its own it does nothing. It makes more sense in context with the
> other patch I sent.
> > With this option in place, one can extend the unix-pam-service with
> another pam service
> > (such as krb5-pam), and if the krb5 authentication fails (for example
> because I am not
> > at work) then the password I gave will be presented to the regular
> pam_unix login.
> > I won't be prompted for it again.
>
> In that case, instead of hardcoding ???use_first_pass??? here, would it
> be
> possible for the pam-krb5 service to extend ???pam-root-service-type???
> with
> a procedure that automatically adds ???use_first_pass??? where needed?
>
>
> I will look into it. But almost any other pam module will want to do
> the same
Yes, and what I suggest will allow you to do that.
> - at least
> any other which uses passphrase based authentication. So I thought why put
> the onus on
> every other module to do this?
It’s not entirely clear that ‘use_first_pass’ is generally desirable,
Kerberos aside. So I think it makes more sense to add it as part of the
Kerberos service, with an explanation of why it’s important in this
context.
Ludo’.
[PATCH 3/3] gnu: Add pam-krb5 service., John Darrington, 2016/10/22