Ticket #363 (closed defect: wontfix)
No tickets on login with identical passwords in debathan-login
Reported by: | jhamrick | Owned by: | |
---|---|---|---|
Priority: | low | Milestone: | The Distant Future |
Component: | -- | Keywords: | |
Cc: | Fixed in version: | ||
Upstream bug: |
Description
If your local password and athena passwords are the same, you don't get tickets on login. This is because in /etc/pam.d/common-auth, first it checks the entered password against the local password, and then only if that fails, does it run pam_krb5.
# here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_krb5.so minimum_uid=1 use_first_pass
Running debathena-login on Ubuntu 9.04.
Note: See
TracTickets for help on using
tickets.
It’s unclear this is a bug. In general, Athena accounts should be entirely shadowed by local accounts of the same name, rather than having spooky interactions with them. We would like debathena-login to interact well with existing Debian systems, so that you can e.g. install it on your server without breaking it.
As a specific example of the kinds of spooky interactions that might be caused by this: if we always tried to get tickets for the Athena account of the same name as your local account, then you wouldn’t be able to log into your account without a network connection (or at least you would have to wait for the network to timeout).
However, ideally there should be some opt-in mechanism for declaring a local account to be an extension of the corresponding Athena account rather than a complete replacement. See #318 for some of my thoughts along those lines.