The patch, included bellow, adds a new option to pam_krb5 "optional_ccache". This option, when specified, modifies behavior of pam_sm_setcred so that - if credentials were already obtained earlier in pam_sm_authenticate, then pam_sm_setcred will store them in credentials cache; - if there are no credentials pam_sm_setcred doesn't return an error. This way, "optional_ccache" implements "save credentials if they exists, but do not fail if they don't" logic. Currently this logic is not available, as there are only two modes of operation: "always save credentials and fail if they were not obtained" and "don't care about credentials completely". Why I think this is needed? Currently if I want to enable kerberos authentication I put into pam.d/svc something similar to auth sufficient pam_krb5.so no_warn try_first_pass require_keytab noroot auth required pam_unix.so no_warn try_first_pass nullok This works fine until there's a network failure. Network failures may lead to long delays in pam_krb5 when kerberos is not available. Sure when this happens it's still possible to login with passwords from master.passwd, but there will be a long delay during login process. This is undesirable situation because when something fails it must be fixed quick and to fix it login/su is usually required. The only way to eliminate this annoying delay which I can think of is to put pam_unix before pam_krb5 like this: auth sufficient pam_unix.so no_warn try_first_pass nullok auth required pam_krb5.so no_warn try_first_pass require_keytab noroot But currently this setup doesn't work because during pam_sm_authenticate phase openpam stops if pam_unix indicate success, but for pam_sm_setcred openpam treats sufficient as optional and doesn't stop on pam_unix in case of success but rather steps to pam_krb5. In case user was authenticated with pam_unix this leads to a call to pam_sm_setcred from pam_krb5 without prior call to its pam_sm_authenticate. Because pam_krb5 obtains credentials in pam_sm_authenticate this makes pam_sm_setcred (and the whole authentication) to fail if no_ccache is not specified. It's possible to workaround this problem by making pam_krb5 sufficient and adding another pam_unix: auth sufficient pam_unix.so no_warn try_first_pass nullok auth sufficient pam_krb5.so no_warn try_first_pass require_keytab noroot auth required pam_unix.so no_warn try_first_pass nullok But I'd say this is a hack, not a solution. This setup is not clear and might lead to misunderstandings. With the change I propose "optional_ccache" can be specified for pam_krb5 and pam_sm_setcred will return PAM_IGNORE if there are no credentials, but will still save ccache if they exist. This allows unix logins to be independent of kerberos logins and eliminates delays in case of kerberos failures.
Perhaps we should simply change the ccache option to work like your hypothetical optional_ccache option. I don't see any reason not to.
Keyword: patch or patch-ready – in lieu of summary line prefix: [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk). Keyword descriptions and search interface: <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>