On Wed, Nov 11, 2009 at 06:28:59PM -0600, Nicolas Williams wrote:
On Wed, Nov 11, 2009 at 04:06:00PM -0800, Gary Winiger wrote:
I think this is
sufficient for now and it doesn't preclude adding module options or a
krb5.conf stanza (or
On Wed, Nov 11, 2009 at 04:06:00PM -0800, Gary Winiger wrote:
I think this is
sufficient for now and it doesn't preclude adding module options or a
krb5.conf stanza (or even user_attr(4) name=value pairs) to control this
in the
On Thu, Nov 12, 2009 at 03:04:29PM -0600, Will Fiveash wrote:
On Wed, Nov 11, 2009 at 06:28:59PM -0600, Nicolas Williams wrote:
On Wed, Nov 11, 2009 at 04:06:00PM -0800, Gary Winiger wrote:
I think this
is
Kerberos
On Wed, Nov 11, 2009 at 04:06:00PM -0800, Gary Winiger wrote:
I think this is
sufficient for now and it doesn't preclude adding module options or a
krb5.conf stanza (or even user_attr(4) name=value pairs) to control this
in the
I think this is
sufficient for now and it doesn't preclude adding module options or a
krb5.conf stanza (or even user_attr(4) name=value pairs) to control this
in the future.
Hopefully pam_eval will be a longer term way of
On Wed, Nov 11, 2009 at 04:06:00PM -0800, Gary Winiger wrote:
I think this is
sufficient for now and it doesn't preclude adding module options or a
krb5.conf stanza (or even user_attr(4) name=value pairs) to control this
in the
Will Fiveash wrote:
On Mon, Nov 09, 2009 at 02:20:45PM -0800, Gary Winiger wrote:
I want to see an updated pam_krb5(5) man page explaining how to use
PKINIT
and including the example PAM stacks for use of PKINIT.
I'd like to propose a different tact. This seem to be to suggest a
I will make another pitch at this, put pam_authtok_get first, and if
the password entered is PKI, PKINIT, smart card or some other
key phrase (blank?), then pam_krb5 will try PKINIT. You only need one
pam_krb5 on the stack too, and if the pam_authtok_get changes, you
don't have to
Wyllys Ingersoll wrote:
I will make another pitch at this, put pam_authtok_get first, and if
the password entered is PKI, PKINIT, smart card or some other
key phrase (blank?), then pam_krb5 will try PKINIT. You only need one
pam_krb5 on the stack too, and if the pam_authtok_get changes,
Will Fiveash wrote:
On Tue, Nov 10, 2009 at 08:54:52AM -0600, Douglas E. Engert wrote:
Will Fiveash wrote:
On Mon, Nov 09, 2009 at 02:20:45PM -0800, Gary Winiger wrote:
I want to see an updated pam_krb5(5) man page explaining how to use
PKINIT and including the example PAM stacks for
My fasttrack sponsor has requested I wrap up this discussion. Currently
the only change to my original fasttrack proposal is the addition of the
passwd_fallback option to pam_krb5 in pam.conf. In the pam_krb5(5) man
page it is documented as:
passwd_fallbackCauses pam_krb5 to return
On Mon, Nov 09, 2009 at 12:11:58PM +0100, Joerg Barfurth wrote:
Douglas E. Engert schrieb:
Note that if pam_krb is stacked below pam_authtok_get it would function
as it currently does which is to get the user's Kerberos credential
using their long term Kerberos password.
That seems
On Tue, Nov 10, 2009 at 12:58:23PM -0600, Will Fiveash wrote:
My fasttrack sponsor has requested I wrap up this discussion. Currently
the only change to my original fasttrack proposal is the addition of the
passwd_fallback option to pam_krb5 in pam.conf. In the pam_krb5(5) man
page it is
Douglas E. Engert wrote:
I really strongly dislike the idea of having a special password that
causes
it to behave differently. It just smells like a bad hack.
Yes, it is a hack, based on the current pam limitations of only prompting
for user and password. A more flexible pam
I'm happy with the latest spec that has been proposed. I think this is
sufficient for now and it doesn't preclude adding module options or a
krb5.conf stanza (or even user_attr(4) name=value pairs) to control this
in the future.
--
Darren J Moffat
Darren J Moffat wrote:
Douglas E. Engert wrote:
I really strongly dislike the idea of having a special password that
causes
it to behave differently. It just smells like a bad hack.
Yes, it is a hack, based on the current pam limitations of only prompting
for user and password. A more
Douglas E. Engert schrieb:
Note that if pam_krb is stacked below pam_authtok_get it would
function
as it currently does which is to get the user's Kerberos credential
using their long term Kerberos password.
That seems reasonable.
FWIW I feel uncomfortable with the idea that presence or
On Mon, Nov 09, 2009 at 12:46:11PM -0600, Will Fiveash wrote:
But even so, I think we should provide krb5.conf [pam] section
equivalents for any module options.
My concern with this is that I'm proposing support of two instances of
pam_krb5 in a auth stack and some of these module options
I want to see an updated pam_krb5(5) man page explaining how to use
PKINIT
and including the example PAM stacks for use of PKINIT.
If I understand the project correctly:
* The project wants to do different prompting than pam_authtok_get(5).
* The project proposes to
On Mon, Nov 09, 2009 at 02:20:45PM -0800, Gary Winiger wrote:
I want to see an updated pam_krb5(5) man page explaining how to use
PKINIT
and including the example PAM stacks for use of PKINIT.
If I understand the project correctly:
I don't think that's quite correct.
*
What is the Release Binding?
Minor/Patch
Which is it Minor or Patch -- they are different see
http://sac.eng/BestPractices/release_taxonomy.html
and
http://sac.eng/cgi-bin/bp.cgi?NAME=interface_taxonomy.bp
Patch implies Minor, Minor does not imply
On Fri, Nov 06, 2009 at 05:37:12PM -0600, Nicolas Williams wrote:
On Fri, Nov 06, 2009 at 05:06:27PM -0600, Will Fiveash wrote:
On Thu, Nov 05, 2009 at 02:18:33PM -0800, Henry B. Hotz wrote:
Couple of points:
While I don't specifically advocate it, I note that Russ' pam_krb5 and
On Mon, Nov 09, 2009 at 02:28:34PM -0800, Gary Winiger wrote:
I want to see an updated pam_krb5(5) man page explaining how to use
PKINIT
and including the example PAM stacks for use of PKINIT.
I don't seem to find a Release Binding in the case materials.
What is the
On Mon, Nov 09, 2009 at 04:29:06PM -0600, Nicolas Williams wrote:
On Mon, Nov 09, 2009 at 02:20:45PM -0800, Gary Winiger wrote:
I want to see an updated pam_krb5(5) man page explaining how to use
PKINIT
and including the example PAM stacks for use of PKINIT.
If I
On Mon, Nov 09, 2009 at 02:20:45PM -0800, Gary Winiger wrote:
I want to see an updated pam_krb5(5) man page explaining how to use
PKINIT
and including the example PAM stacks for use of PKINIT.
I'd like to propose a different tact. This seem to be to suggest a
separate PAM
On Mon, Nov 09, 2009 at 04:42:58PM -0800, Gary Winiger wrote:
What is the Release Binding?
Minor/Patch
Which is it Minor or Patch -- they are different see
http://sac.eng/BestPractices/release_taxonomy.html
and
On Thu, Oct 22, 2009 at 05:40:47PM +0100, Darren Moffat wrote:
I want to see an updated pam_krb5(5) man page explaining how to use PKINIT
and including the example PAM stacks for use of PKINIT.
Here is the updated pam_krb5(5) man page with diffs following:
Standards, Environments, and
On Fri, Nov 06, 2009 at 03:27:19PM -0600, Will Fiveash wrote:
On Thu, Oct 22, 2009 at 05:40:47PM +0100, Darren Moffat wrote:
I want to see an updated pam_krb5(5) man page explaining how to use PKINIT
and including the example PAM stacks for use of PKINIT.
Nico request a different diff
On Thu, Nov 05, 2009 at 02:18:33PM -0800, Henry B. Hotz wrote:
Couple of points:
While I don't specifically advocate it, I note that Russ' pam_krb5 and the
RedHat pam_krb5 both use configuration info in krb5.conf. I personally
would think that's simpler, but probably less pam-like.
On Fri, Nov 06, 2009 at 05:06:27PM -0600, Will Fiveash wrote:
On Thu, Nov 05, 2009 at 02:18:33PM -0800, Henry B. Hotz wrote:
Couple of points:
While I don't specifically advocate it, I note that Russ' pam_krb5 and the
RedHat pam_krb5 both use configuration info in krb5.conf. I
On Thu, Nov 05, 2009 at 03:37:00PM -0600, Douglas E. Engert wrote:
Will Fiveash wrote:
On Thu, Oct 22, 2009 at 04:55:17PM -0500, Will Fiveash wrote:
On Thu, Oct 22, 2009 at 05:40:47PM +0100, Darren Moffat wrote:
Wyllys Ingersoll wrote:
Template Version: @(#)sac_nextcase 1.68
While working out the various permutations of PAM auth stacks I've
discovered that my fasttrack was not complete in regards to new
interfaces.
At yesterday's meeting, I asked for more time through today.
Unfortuntely, I'm not going to be able to get through this
case
On Thu, Oct 22, 2009 at 04:55:17PM -0500, Will Fiveash wrote:
On Thu, Oct 22, 2009 at 05:40:47PM +0100, Darren Moffat wrote:
Wyllys Ingersoll wrote:
Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI
This information is Copyright 2009 Sun Microsystems
1. Introduction
1.1.
Will Fiveash wrote:
On Thu, Oct 22, 2009 at 04:55:17PM -0500, Will Fiveash wrote:
On Thu, Oct 22, 2009 at 05:40:47PM +0100, Darren Moffat wrote:
Wyllys Ingersoll wrote:
Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI
This information is Copyright 2009 Sun Microsystems
1. Introduction
Couple of points:
While I don't specifically advocate it, I note that Russ' pam_krb5 and
the RedHat pam_krb5 both use configuration info in krb5.conf. I
personally would think that's simpler, but probably less pam-like.
I think you need an example of a smart-card-required configuration
Will Fiveash wrote:
On Tue, Oct 27, 2009 at 04:47:00PM -0500, Will Fiveash wrote:
On Thu, Oct 22, 2009 at 05:40:47PM +0100, Darren Moffat wrote:
The concept seems reasonable but what will the prompts look like ?
I've been doing some testing and I have a question in regards to the
pkinit
On Thu, Oct 22, 2009 at 05:40:47PM +0100, Darren Moffat wrote:
The concept seems reasonable but what will the prompts look like ?
I've been doing some testing and I have a question in regards to the
pkinit preauth plugin, libpkcs11 and the resulting prompting behavior.
What I'm seeing is if
On Tue, Oct 27, 2009 at 04:47:00PM -0500, Will Fiveash wrote:
On Thu, Oct 22, 2009 at 05:40:47PM +0100, Darren Moffat wrote:
The concept seems reasonable but what will the prompts look like ?
I've been doing some testing and I have a question in regards to the
pkinit preauth plugin,
On Thu, Oct 22, 2009 at 11:36:03PM -0400, Henry B. Hotz wrote:
So if some users use K5 password and others use PKINIT you would put
pam_krb5 in twice?
Yes.
How would you e.g. require PKINIT for root but not users in general?
That can not be done with the current Solaris PAM
On Fri, Oct 23, 2009 at 10:22:02AM -0500, Douglas E. Engert wrote:
Will Fiveash wrote:
That is the plan. This is also why pam_krb5 when doing PKINIT should be
stacked above pam_authtok_get to avoid pam_authtok_get's prompting for a
password inappropriately.
Login is easy. Screen unlock is
Will Fiveash wrote:
That is the plan. This is also why pam_krb5 when doing PKINIT should be
stacked above pam_authtok_get to avoid pam_authtok_get's prompting for a
password inappropriately.
Login is easy. Screen unlock is much harder. Make sure you plan will
work with the actions the user
So if some users use K5 password and others use PKINIT you would put
pam_krb5 in twice?
How would you e.g. require PKINIT for root but not users in general?
On Oct 22, 2009, at 6:16 PM, Will Fiveash wrote:
Be aware that the current OpenSolaris PAM framework typically relies
on
the
Nicolas Williams wrote:
IMO pam_authtok_get(5) should be pam_authtok_get(3PAM), kinda like we
have a [consolidation-private] pam_get_user() function, which IMO should
also be Public. (b) was a good thing, and so was (c), but (c) is
getting upset by modules that can prompt for PINs, or
On Fri, Oct 23, 2009 at 02:24:48PM -0500, Douglas E. Engert wrote:
Nicolas Williams wrote:
IMO pam_authtok_get(5) should be pam_authtok_get(3PAM), kinda like we
have a [consolidation-private] pam_get_user() function, which IMO should
also be Public. (b) was a good thing, and so was (c), but
Wyllys Ingersoll wrote:
Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI
This information is Copyright 2009 Sun Microsystems
1. Introduction
1.1. Project/Component Working Name:
pam_krb5 PKINIT support
1.2. Name of Document Author/Supplier:
Author: Will Fiveash
Darren J Moffat wrote:
Wyllys Ingersoll wrote:
Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI
This information is Copyright 2009 Sun Microsystems
1. Introduction
1.1. Project/Component Working Name:
pam_krb5 PKINIT support
1.2. Name of Document Author/Supplier:
On Thu, Oct 22, 2009 at 05:40:47PM +0100, Darren Moffat wrote:
Wyllys Ingersoll wrote:
Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI
This information is Copyright 2009 Sun Microsystems
1. Introduction
1.1. Project/Component Working Name:
pam_krb5 PKINIT support
On Thu, Oct 22, 2009 at 03:38:29PM -0500, Douglas E. Engert wrote:
Darren J Moffat wrote:
Wyllys Ingersoll wrote:
Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI
This information is Copyright 2009 Sun Microsystems
1. Introduction
1.1. Project/Component Working Name:
48 matches
Mail list logo