Package: libpam-krb5
Version: 4.4-1
Severity: wishlist
Tags: upstream patch
Some preauth plugins have their own password prompts, and with pam_krb5 always
asking for password, the result is two password prompts (when the first might
be ignored, as the preauth can replace the key).
I suggest a no_password option to solve this issue. Attached is a patch that
does it.
Thanks,
Yair.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38.4-rt-1 (SMP w/6 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libpam-krb5 depends on:
ii krb5-config 2.2 Configuration files for Kerberos V
ii libc6 2.11.2-11 Embedded GNU C Library: Shared lib
ii libkrb5-3 1.9+dfsg-1+b1 MIT Kerberos runtime libraries
ii libpam-runtime 1.1.2-2 Runtime support for the PAM librar
ii libpam0g 1.1.2-2 Pluggable Authentication Modules l
libpam-krb5 recommends no packages.
libpam-krb5 suggests no packages.
-- no debconf information
diff --git a/auth.c b/auth.c
index 9821edd..0643505 100644
--- a/auth.c
+++ b/auth.c
@@ -689,7 +689,7 @@ pamk5_password_auth(struct pam_args *args, const char *service,
goto done;
}
do {
- if ((pass == NULL || *pass == '\0') && !args->try_pkinit) {
+ if ((pass == NULL || *pass == '\0') && !args->try_pkinit && !args->no_password) {
const char *prompt = (service == NULL) ? NULL : "Current";
retry = 0;
diff --git a/internal.h b/internal.h
index c9bdb11..c54c444 100644
--- a/internal.h
+++ b/internal.h
@@ -76,6 +76,7 @@ struct pam_args {
krb5_deltat lifetime; /* Lifetime of credentials. */
int minimum_uid; /* Ignore users below this UID. */
int no_ccache; /* Don't create a ticket cache. */
+ int no_password; /* don't prompt for password */
int prompt_princ; /* Prompt for the Kerberos principal. */
char *realm; /* Default realm. */
krb5_deltat renew_lifetime; /* Renewable lifetime of credentials. */
diff --git a/options.c b/options.c
index 121161a..9aabf4a 100644
--- a/options.c
+++ b/options.c
@@ -308,6 +308,7 @@ pamk5_args_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
default_boolean(args, c, "ignore_root", 0, &args->ignore_root);
default_string(args, c, "keytab", NULL, &args->keytab);
default_number(args, c, "minimum_uid", 0, &args->minimum_uid);
+ default_boolean(args, c, "no_password", 0, &args->no_password);
default_boolean(args, c, "only_alt_auth", 0, &args->only_alt_auth);
default_string(args, c, "pkinit_anchors", NULL, &args->pkinit_anchors);
default_boolean(args, c, "pkinit_prompt", 0, &args->pkinit_prompt);
@@ -392,6 +393,8 @@ pamk5_args_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
args->minimum_uid = atoi(&argv[i][strlen("minimum_uid=")]);
else if (strcmp(argv[i], "no_ccache") == 0)
args->no_ccache = 1;
+ else if (strcmp(argv[i], "no_password") == 0)
+ args->no_password = 1;
else if (strcmp(argv[i], "only_alt_auth") == 0)
args->only_alt_auth = 1;
else if (strncmp(argv[i], "pkinit_anchors=", 15) == 0) {
diff --git a/pam_krb5.pod b/pam_krb5.pod
index 75b4b7f..8cc1a93 100644
--- a/pam_krb5.pod
+++ b/pam_krb5.pod
@@ -269,6 +269,15 @@ system account incorrectly authenticating as that system account.
This option can be set in F<krb5.conf>.
+=item no_password
+
+Don't force a password prompt. Instead, let kerberos prompt for the
+password. This is useful when, e.g. a preauth is responsible for password
+prompting which otherwise will result with two password prompts.
+
+With this option the pam's authtok isn't set, which might cause some problems
+if any other pam module/function requires it.
+
=item only_alt_auth
This option is used with I<alt_auth_map> and forces the use of the mapped
