Ticket #363 (closed defect: wontfix)

Opened 12 years ago

Last modified 10 years ago

No tickets on login with identical passwords in debathan-login

Reported by: jhamrick Owned by:
Priority: low Milestone: The Distant Future
Component: -- Keywords:
Cc: Fixed in version:
Upstream bug:

Description

If your local password and athena passwords are the same, you don't get tickets on login. This is because in /etc/pam.d/common-auth, first it checks the entered password against the local password, and then only if that fails, does it run pam_krb5.

# here are the per-package modules (the "Primary" block)
auth	[success=2 default=ignore]	pam_unix.so nullok_secure
auth	[success=1 default=ignore]	pam_krb5.so minimum_uid=1 use_first_pass

Running debathena-login on Ubuntu 9.04.

Change History

comment:1 Changed 12 years ago by andersk

It’s unclear this is a bug. In general, Athena accounts should be entirely shadowed by local accounts of the same name, rather than having spooky interactions with them. We would like debathena-login to interact well with existing Debian systems, so that you can e.g. install it on your server without breaking it.

As a specific example of the kinds of spooky interactions that might be caused by this: if we always tried to get tickets for the Athena account of the same name as your local account, then you wouldn’t be able to log into your account without a network connection (or at least you would have to wait for the network to timeout).

However, ideally there should be some opt-in mechanism for declaring a local account to be an extension of the corresponding Athena account rather than a complete replacement. See #318 for some of my thoughts along those lines.

comment:2 Changed 12 years ago by andersk

I should also mention that my ponyverse includes #276 “Shouldn’t accept Kerberos passwords for local users without username@… in .k5login”, although I’d also want the same opt-in mechanism to work there (e.g. locally adding the user to the nss_nonlocal_users group, given #318).

comment:3 Changed 12 years ago by jdreed

  • Milestone set to The Distant Future

comment:4 Changed 10 years ago by jdreed

  • Status changed from new to closed
  • Resolution set to wontfix

Documented, wontfix.

Note: See TracTickets for help on using tickets.