Kerberos password change patch
Frank Cusack
fcusack at fcusack.com
Wed Apr 23 06:57:22 EST 2003
On Tue, Apr 22, 2003 at 01:44:02PM -0400, James F.Hranicky wrote:
> On Tue, 22 Apr 2003 09:23:38 -0700
> Frank Cusack <fcusack at fcusack.com> wrote:
>
> > On Tue, Apr 22, 2003 at 11:21:21AM -0400, James F.Hranicky wrote:
> > > Attached is a patch that allows for an interactive Kerberos password
> > > change via keyboard-interactive,
> >
> > Why don't you let PAM do it?
>
> Too many problems trying to get the same PAM to work properly across multiple
> platforms. I'm tired of putting reads from FIFO's in PAM modules to get
OK, I can understand that, but don't existing PAM modules work?
RH ships a pam_krb5 that I have to imagine is kosher, you can also
try my pam_krb5 (http://www.fcusack.com/) which works.
> Plus, any problem you have you're debugging both the module and the
> implementation in the PAMified program, so it just seemed easier to cut
> out the middleman and do it all in openssh.
Yeah, but then you have to do it for each and every program. With PAM
you do it once. It's more direct to do it in openssh, but definitely
far inferior to using PAM, from a portability/configurability standpoint.
> If not, any pointers on privsep and my patch would be greatly appreciated,
> although I'll be checking FreeBSD's PAM patch to see what they are doing
> about it.
On Thu, Jan 23, 2003 at 05:18:13PM +1100, Damien Miller wrote:
> http://www.mindrot.org/~djm/openssh/openssh-newpam-20030123.tar.gz
>
> Is a snapshot of the new PAM-via-KbdInt authentication support from
> FreeBSD's OpenSSH tree.
/fc
More information about the openssh-unix-dev
mailing list