I've attached updated pam_krb5.5 and pam_krb5.5.diffmarked.
On Mon, Dec 14, 2009 at 05:42:23PM -0600, Will Fiveash wrote:
> On Mon, Dec 14, 2009 at 02:52:51PM -0800, Gary Winiger wrote:
> > > The final spec and man page for the pam_krb5 pkinit project
> > > have been p
PAM_UPDATE_AUTHTOK
> will be making these checks?
The checks are made if the PAM_UPDATE_AUTHTOK flag is set. The project
is not changing the behavior of pam_sm_chauthtok() if the
PAM_PRELIM_CHECK flag is set which is to return PAM_IGNORE.
--
Will Fiveash
Sun Microsystems
On Fri, Dec 11, 2009 at 09:18:24AM +, Darren Moffat wrote:
> Will Fiveash wrote:
> > On Mon, Dec 07, 2009 at 05:59:25PM +, Darren Moffat wrote:
> >> I believe we are still waiting on a final spec for this case.
> >>
> >> Specifically is the intent to
On Fri, Dec 11, 2009 at 09:18:24AM +, Darren Moffat wrote:
> Will Fiveash wrote:
> > On Mon, Dec 07, 2009 at 05:59:25PM +, Darren Moffat wrote:
> >> I believe we are still waiting on a final spec for this case.
> >>
> >> Specifically is the intent to
st) needs to be created to have the pkinit
preauth plugin enhanced to properly handle those type of card readers.
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
x27;ve attached the updated:
- fasttrack
- pam_krb5 man page
- pam_krb5 man page diff marked
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
-- next part --
Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI
Th
On Wed, Dec 09, 2009 at 09:45:20AM +, Darren Moffat wrote:
> Will Fiveash wrote:
> > On Mon, Dec 07, 2009 at 12:38:30PM -0600, Will Fiveash wrote:
> >> On Mon, Dec 07, 2009 at 05:59:25PM +, Darren Moffat wrote:
> >>> I believe we are still waiting
On Wed, Dec 09, 2009 at 02:45:31PM -0600, Will Fiveash wrote:
> On Wed, Dec 09, 2009 at 02:34:09PM -0500, Wyllys Ingersoll wrote:
> > * If PAM_AUTHTOK is NOT set, prompt for the PIN and attempt to use it. If
> > it fails, return
> > AUTHFAIL.
>
> Well, depending
prompt at all
login auth required pam_krb5.so.1 # will try password based
krb auth using PAM_AUTHTOK
# if pam_krb5.so.1 pkinit
fails
> * If PAM_AUTHTOK is NOT set, prompt for the PIN and attempt to use it. If it
> fails, return
&g
On Mon, Dec 07, 2009 at 12:38:30PM -0600, Will Fiveash wrote:
> On Mon, Dec 07, 2009 at 05:59:25PM +, Darren Moffat wrote:
> > I believe we are still waiting on a final spec for this case.
> >
> > Specifically is the intent to add a 'pkinit' module option
for the delay (was on vacation). I'll update the spec
taking the "pkinit" module option approach which is preferable over the
pam_krb5_pkinit approach of creating a new PAM module to do PKINIT for
the reasons mentioned earlier in this discussion.
--
Will Fiveash
Sun Microsystems I
to me this is a perfect case of proper use of a module
> option. The code for password based versus PKINIT based Kerberos
> authentication is in the very high 90% range of common code, in fact
> it is pretty much just a flag to a lower level API. Gary however
> seems to prefer
l desktop?
>
> Bottom line, IMO, 3, 4 and 5 need to be addressed in the spec. If they
> have been, please point me to where? I'll "hold my nose[tm]" relative
> to 1 and 2.
Here is the updated fasttrack spec:
Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI
T
kt_warnd(1M) will be notified, to alert
the user when the initial credentials are about to expire.
SunOS 5.11 Last change: 8 Apr 2008 10
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
On Thu, Nov 12, 2009 at 03:04:29PM -0600, Will Fiveash wrote:
> On Wed, Nov 11, 2009 at 06:28:59PM -0600, Nicolas Williams wrote:
> > On Wed, Nov 11, 2009 at 04:06:00PM -0800, Gary Winiger wrote:
> > > > I t
m_sm_chauthtok() return
> PAM_IGNORE if a) PKINIT was used and b) the KDC rejects the password
> change. (Will, I recommend making that change.)
I've made the modification such that if the pam_sm_authenticate in
pam_krb5 did not use a password as is the case with PKINIT then
pam_sm_chauthtok() will return PAM_IGNORE if:
- the new passwd is NULL
- the old passwd is NULL
- verification of the old passwd fails.
If none of the above is true then pam_krb tries to change the password
and will return an error if that fails.
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
On Tue, Nov 10, 2009 at 12:58:23PM -0600, Will Fiveash wrote:
> My fasttrack sponsor has requested I wrap up this discussion. Currently
> the only change to my original fasttrack proposal is the addition of the
> passwd_fallback option to pam_krb5 in pam.conf. In the pam_krb5(5) man
>
like something that should not require a module option.
> Stack flow is controlled by the control flag part of the pam.conf entry.
>
> So if preauth failure is not fatal, it should simply be configured as
> 'optional' or 'sufficient'.
I discussed your point with
pam_authtok_get if this option is used.
I have submitted the diff marked man page containing that information
earlier in this thread.
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
On Tue, Nov 10, 2009 at 08:54:52AM -0600, Douglas E. Engert wrote:
>
>
> Will Fiveash wrote:
> > On Mon, Nov 09, 2009 at 02:20:45PM -0800, Gary Winiger wrote:
> >>>>> I want to see an updated pam_krb5(5) man page explaining how to use
> >>>>&g
http://sac.eng/cgi-bin/bp.cgi?NAME=interface_taxonomy.bp
>
> Patch implies Minor, Minor does not imply Patch.
Sorry I got that from a related fasttrack. I mean Minor.
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
d and thus does not set PAM_AUTHTOK.
> To me, a separate module as described seem cleaner and easier to understand
> and configure than how I understand the current proposal.
> What have I missed in my understanding (or have I missed so much that
> it can't even be explained ;-)?
I think my proposal is very similar functionally and requires less code
change.
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
M or even just pam_krb5.
> For auth and setcred, the second instance of the module will return
> PAM_IGNORE if the first instance returned PAM_SUCCESS (at least as of
> Friday, right Will?).
That is correct.
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
to find a Release Binding in the case materials.
> What is the Release Binding?
Minor/Patch
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
On Fri, Nov 06, 2009 at 05:37:12PM -0600, Nicolas Williams wrote:
> On Fri, Nov 06, 2009 at 05:06:27PM -0600, Will Fiveash wrote:
> > On Thu, Nov 05, 2009 at 02:18:33PM -0800, Henry B. Hotz wrote:
> > > Couple of points:
> > >
> > > While I don't s
On Thu, Nov 05, 2009 at 03:37:00PM -0600, Douglas E. Engert wrote:
>
>
> Will Fiveash wrote:
> > On Thu, Oct 22, 2009 at 04:55:17PM -0500, Will Fiveash wrote:
> >> On Thu, Oct 22, 2009 at 05:40:47PM +0100, Darren Moffat wrote:
> >>> Wyllys Inge
mple of a smart-card-required configuration with
> pkinit-only pam_krb5 and fall-back to pam_pkcs11 if the network connection
> is down.
dtlogin auth sufficient pam_krb5.so.1
dtlogin auth sufficient pam_pkcs11.so.1
dtlogin auth required pam_unix_
On Fri, Nov 06, 2009 at 03:27:19PM -0600, Will Fiveash wrote:
> On Thu, Oct 22, 2009 at 05:40:47PM +0100, Darren Moffat wrote:
> >
> > I want to see an updated pam_krb5(5) man page explaining how to use PKINIT
> > and including the example PAM stacks for use of PK
h sufficient pam_krb5.so.1
+ dtlogin auth sufficient pam_pkcs11.so.1
+ dtlogin auth required pam_unix_cred.so.1
+
+
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
On Thu, Oct 22, 2009 at 04:55:17PM -0500, Will Fiveash wrote:
> On Thu, Oct 22, 2009 at 05:40:47PM +0100, Darren Moffat wrote:
> > Wyllys Ingersoll wrote:
> > > Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI
> > > This information is Copyright 2009 Sun Microsy
On Tue, Oct 27, 2009 at 04:47:00PM -0500, Will Fiveash wrote:
> On Thu, Oct 22, 2009 at 05:40:47PM +0100, Darren Moffat wrote:
> >
> > The concept seems reasonable but what will the prompts look like ?
>
> I've been doing some testing and I have a question in regar
x27;t seem reasonable to prompt a user for a PIN in the case a token
containing a cert/key does not exist. Thoughts?
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
laris PAM implementation and
will not be addressed by this pam_krb5 enhancement.
> On Oct 22, 2009, at 6:16 PM, Will Fiveash wrote:
>
> > Be aware that the current OpenSolaris PAM framework typically relies on
> > the pam_authtok_get module to prompt for the password. OpenSolaris
&g
troduction
> >> 1.1. Project/Component Working Name:
> >> pam_krb5 PKINIT support
> >> 1.2. Name of Document Author/Supplier:
> >> Author: Will Fiveash
> >> 1.3 Date of This Document:
&g
e:
> > pam_krb5 PKINIT support
> > 1.2. Name of Document Author/Supplier:
> > Author: Will Fiveash
> > 1.3 Date of This Document:
> > 22 October, 2009
> > 4. Technical Description
> > pam_krb5 PKINIT support
> > --
m/cpg/krb5?
--
Will Fiveash
Sun Microsystems Office x64079/512-401-1079
Austin, TX, 78727 (TZ=CST6CDT), USA
Internal Solaris Kerberos/GSS/SASL website: http://kerberos.sfbay.sun.com
http://opensolaris.org/os/project/kerberos/
On Tue, Jun 19, 2007 at 07:24:49PM -0500, Will Fiveash wrote:
> On Tue, Jun 19, 2007 at 05:08:50PM -0700, Gary Winiger wrote:
> > > The krb team is discussing this now but my take is since this is a new
> > > command and MIT may well change the interface I would say Volatile.
On Tue, Jun 19, 2007 at 09:49:48PM -0400, Wyllys Ingersoll wrote:
> James C. McPherson wrote:
> >Wyllys Ingersoll wrote:
> >>I am sponsoring the following fast-track for Will Fiveash.
> >>
> >>* The release binding is patch/micro.
> >>* The interface s
On Tue, Jun 19, 2007 at 08:29:06PM -0400, Bill Sommerfeld wrote:
> On Tue, 2007-06-19 at 19:24 -0500, Will Fiveash wrote:
>
> > > What happens if the optional -w is omitted? Does it prompt
> > > or find the passwd somewhere else.
> >
> > It will prompt.
l [-d dbname] [-f stashfile_name]
[-k mkeytype] [-m ] [-M mkeyname] [-P password] [-r realm]
cmd
I can easily disable -w passwd in kdb5_ldap_util but I wasn't sure if it
would be allowed for MIT compat.
--
Will Fiveash
On Tue, Jun 19, 2007 at 02:02:05PM -0700, Gary Winiger wrote:
> > I am sponsoring the following fast-track for Will Fiveash.
> >
> > * The release binding is patch/micro.
> > * The interface stability is committed.
>
> Presumably the intent is to
41 matches
Mail list logo