libpam-heimdal 4.6-2 / usr / share / doc / libpam-heimdal / TODO

This file is indexed.

/usr/share/doc/libpam-heimdal/TODO is in libpam-heimdal 4.6-2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
                           pam-krb5 To-Do List

PAM API:

 * PAMKRB-5: Support PAM_CHANGE_EXPIRED_AUTHTOK properly in pam_chauthtok.
   This will require prompting for the current password (if it's not
   already available in the PAM data) and trying a regular authentication
   first to see if the account is expired.

 * PAMKRB-6: Tighter verification that all of our flags are valid might be
   a good idea.

 * PAMKRB-16: For informational messages followed by a prompt, find a way
   to combine these into one PAM conversation call for better GUI
   presentation behavior.

Functionality:

 * PAMKRB-2: Find a way to do only PKINIT authentication with no password
   fallback with MIT Kerberos and then change the authentication flow so
   that both Heimdal and MIT use the same logic for attempting PKINIT
   first and then falling back to password.  This will fix failure to
   store passwords in the PAM data with try_pkinit and MIT Kerberos on
   password fallback and will allow implementation of use_pkinit for MIT.

 * PAMKRB-10: Add a daemon that can be used to verify TGTs that can be
   used when pam-krb5 is run as a non-root user and hence doesn't have
   access to the system keytab.  Jeff Hutzelman has a daemon and protocol
   for doing this developed for a different PAM authentication module, and
   it would be good to stay consistent with that protocol if possible.
   (Debian Bug#399001)

 * PAMKRB-23: The alt_auth_map parsing to find realms doesn't take into
   account escaped @-signs and doesn't do proper principal parsing.

 * PAMKRB-24: Fix password expiration handling for the search_k5login and
   alt_auth_map cases.  Right now, we may return expired password errors
   that would trigger password expiration handling, which probably isn't
   correct.

Code Cleanup:

 * PAMKRB-11: The PKINIT code for Heimdal involves too many #ifdefs right
   now for my taste.  Find a way to restructure it to only wrap the main
   PKINIT function for Heimdal.

 * PAMKRB-12: The current handling of error return codes is a mess.  We
   need to find a way to return a rich set of error codes from the
   underlying functions and then map error codes appropriately in the
   interface functions.  Helpful for this would be improved documentation
   of what error codes are permitted and where.

Documentation:

 * PAMKRB-13: Document PKINIT configuration with MIT in krb5.conf.  It
   looks like the library supports configuration in [realms] with similar
   names to the PAM module configuration.

 * PAMKRB-14: Note the version number when options were added.  It helps
   people looking at the documentation on-line and writing portable
   configurations.

Portability:

 * PAMKRB-15: If pam_modutil_getpwnam is not available but getpwnam_r is,
   roll our own using getpwnam_r.

Logging:

 * PAMKRB-17: Log the information that the Kerberos library asks us to
   display, or at least the info and error messages.

 * PAMKRB-18: Log unknown PAM flags on module entry.  Currently, only the
   symbolic flags we know about will be logged.

Test suite:

 * PAMKRB-19: Add tests for PKINIT.

 * PAMKRB-20: Ensure that the test suite covers all possible PAM options.

 * PAMKRB-22: Integrate and automate valgrind testing.  There is currently
   a check-valgrind option with the beginnings of an exclusion list, but
   it needs better integration with the rest of the test suite.

APT Browse - Built by Thomas Orozco.