id summary reporter owner description type status priority milestone component resolution keywords cc fix_version see_also 276 Shouldn’t accept Kerberos passwords for local users without username@ATHENA.MIT.EDU in .k5login andersk "{{{ debathena / pam / andersk 17:07 (Anders Kaseorg) I’d be tempted to set minimum_uid=500. Though what I’d actually like to require is (group nss_nonlocal_users || principal in .k5login). debathena / pam / broder 17:10 (Evan Broder) Principal in .k5login doesn't matter, because PAM doesn't deal with that debathena / pam / andersk 17:11 (Anders Kaseorg) > PAM doesn't deal with that But I want it to. If username@ATHENA.MIT.EDU is not in username’s ~/.k5login, then I don’t want that Kerberos password to be useful for logging into that local account. }}} " defect new normal The Distant Future --