1 pam-krb5 To-Do List 2 3PAM API: 4 5 * Support PAM_CHANGE_EXPIRED_AUTHTOK properly in pam_chauthtok. This 6 will require prompting for the current password (if it's not already 7 available in the PAM data) and trying a regular authentication first to 8 see if the account is expired. 9 10 * Tighter verification that all of our flags are valid might be a good 11 idea. 12 13 * For informational messages followed by a prompt, find a way to combine 14 these into one PAM conversation call for better GUI presentation 15 behavior. 16 17Functionality: 18 19 * Change the authentication flow so that both Heimdal and MIT use the 20 same logic for attempting PKINIT first and then falling back to 21 password. This will fix failure to store passwords in the PAM data 22 with try_pkinit and MIT Kerberos on password fallback and will allow 23 implementation of use_pkinit for MIT. Based on discussion with MIT 24 Kerberos upstream, the best approach is probably to configure a custom 25 prompter that refuses to reply to any prompt. 26 27 * Add a daemon that can be used to verify TGTs that can be used when 28 pam-krb5 is run as a non-root user and hence doesn't have access to the 29 system keytab. Jeff Hutzelman has a daemon and protocol for doing this 30 developed for a different PAM authentication module, and it would be 31 good to stay consistent with that protocol if possible. (Debian 32 Bug#399001) 33 34 * The alt_auth_map parsing to find realms doesn't take into account 35 escaped @-signs and doesn't do proper principal parsing. 36 37 * Fix password expiration handling for the search_k5login and 38 alt_auth_map cases. Right now, we may return expired password errors 39 that would trigger password expiration handling, which probably isn't 40 correct. 41 42 * Support authentication from a keytab. 43 44 * Support disabling of user canonicalization so that the PAM user is 45 retained even if the module did an aname to lname mapping. 46 47 * Use set_out_ccache to write the resulting ticket cache, if it is 48 available. This ensures the correct flags are set in the ticket cache. 49 This poses some challenges due to the two-step ticket cache mechanism 50 currently used. Perhaps there's a cache copying API? 51 52 * Use krb5_chpw_message to parse password change messages from Active 53 Directory. 54 55 * Consider exposing the Kerberos principal in the password prompt for a 56 password change. (Debian Bug#667928) 57 58Code Cleanup: 59 60 * The PKINIT code for Heimdal involves too many #ifdefs right now for my 61 taste. Find a way to restructure it to only wrap the main PKINIT 62 function for Heimdal. 63 64 * The current handling of error return codes is a mess. We need to find 65 a way to return a rich set of error codes from the underlying functions 66 and then map error codes appropriately in the interface functions. 67 Helpful for this would be improved documentation of what error codes 68 are permitted and where. 69 70 * Tracking when to free the Kerberos context and other things stored in 71 the PAM context is currently too complicated. It should be possible to 72 simplify it with a reference counting scheme. 73 74Documentation: 75 76 * Document PKINIT configuration with MIT in krb5.conf. It looks like the 77 library supports configuration in [realms] with similar names to the 78 PAM module configuration. 79 80Portability: 81 82 * If pam_modutil_getpwnam is not available but getpwnam_r is, roll our 83 own using getpwnam_r. 84 85Logging: 86 87 * Log the information that the Kerberos library asks us to display, or at 88 least the info and error messages. 89 90 * Log unknown PAM flags on module entry. Currently, only the symbolic 91 flags we know about will be logged. 92 93Test suite: 94 95 * Ensure that the test suite covers all possible PAM options. 96 97 * Figure out why the pin-mit script for module/pkinit prompts twice and 98 check if it's a bug in the module. 99 100 * Find a way of testing the PKINIT identity selection for MIT Kerberos 101 with use_pkinit enabled. 102