Kerberos password change patch

[James F.Hranicky]

On Tue, 22 Apr 2003 13:57:22 -0700
Frank Cusack <fcusack at fcusack.com> wrote:

> > Too many problems trying to get the same PAM to work properly across multiple
> > platforms. I'm tired of putting reads from FIFO's in PAM modules to get
> 
> OK, I can understand that, but don't existing PAM modules work?
> RH ships a pam_krb5 that I have to imagine is kosher, you can also
> try my pam_krb5 (http://www.fcusack.com/) which works.

I haven't tried RHs, but while I got yours (v1.0) to work on Solaris, when 
I tried it on Linux, it printed out all the prompts at once, and used
the old password to "change" the password to the "new" one (which was
foiled if the user had a password history set).

Sorry, I probably should have filed a bug report, but I spent way too
much time with the modified version (1.0.3) which had problems with
coring due to bad pointer handling in the conversation functions, as
well as security problems (which I reported to the pam_krb5 list and 
the kerberos list, to no response, although the fix was easy), and 
I just got exasperated.

> Yeah, but then you have to do it for each and every program.  With PAM
> you do it once.  It's more direct to do it in openssh, but definitely
> far inferior to using PAM, from a portability/configurability standpoint.

Well, unfortunately, that hasn't been my experience -- even when
the module seems to be working I have to deal with every program's PAM
implementation which may simply not work right. 

It's entirely possible I goofed things up, but when your error message
is a core dump, it's discouraging.

> On Thu, Jan 23, 2003 at 05:18:13PM +1100, Damien Miller wrote:
> > http://www.mindrot.org/~djm/openssh/openssh-newpam-20030123.tar.gz
> > 
> > Is a snapshot of the new PAM-via-KbdInt authentication support from 
> > FreeBSD's OpenSSH tree.
 
I'll let you know how it goes, but I'm probably more interested in setting
up a KbdintDevice as per Markus Friedl's suggestion.

Jim