Modify klogin to:

1) Don't spit out an error message if Kerberos is installed but not yet
   set up.

2) Don't attempt to verify the ticket you got back, as workstations
   are not intended to have srvtab files of their own.

Both behaviors can be re-enabled with KLOGIN_PARANOID.

1 files changed, 11 insertions, 0 deletions

diff --git a/lib/libpam/modules/pam_kerberosIV/klogin.c b/lib/libpam/modules/pam_kerberosIV/klogin.c
index 6601a6e..f9c2163 100644
--- a/lib/libpam/modules/pam_kerberosIV/klogin.c
+++ b/lib/libpam/modules/pam_kerberosIV/klogin.c
@@ -74,7 +74,11 @@ klogin(pw, instance, localhost, password)
 	char realm[REALM_SZ], savehost[MAXHOSTNAMELEN];
 	char tkt_location[MAXPATHLEN];
 	char *krb_get_phost();
+	extern int noticketsdontcomplain;
 
+#ifdef KLOGIN_PARANOID
+	noticketsdontcomplain = 0; /* enable warning message */
+#endif
 	/*
 	 * Root logins don't use Kerberos.
 	 * If we have a realm, try getting a ticket-granting ticket
@@ -87,6 +91,8 @@ klogin(pw, instance, localhost, password)
 	    krb_get_lrealm(realm, 0) != KSUCCESS)
 		return (1);
 
+	noticketsdontcomplain = 0; /* enable warning message */
+
 	/*
 	 * get TGT for local realm
 	 * tickets are stored in a file named TKT_ROOT plus uid
@@ -111,6 +117,7 @@ klogin(pw, instance, localhost, password)
 	}
 	kerror = krb_get_pw_in_tkt(pw->pw_name, instance,
 		    realm, INITIAL_TICKET, realm, DEFAULT_TKT_LIFE, password);
+
 	/*
 	 * If we got a TGT, get a local "rcmd" ticket and check it so as to
 	 * ensure that we are not talking to a bogus Kerberos server.
@@ -135,6 +142,7 @@ klogin(pw, instance, localhost, password)
 	(void)strncpy(savehost, krb_get_phost(localhost), sizeof(savehost));
 	savehost[sizeof(savehost)-1] = NULL;
 
+#ifdef KLOGIN_PARANOID
 	/*
 	 * if the "VERIFY_SERVICE" doesn't exist in the KDC for this host,
 	 * still allow login with tickets, but log the error condition.
@@ -186,5 +194,8 @@ klogin(pw, instance, localhost, password)
 	    krb_err_txt[kerror]);
 	dest_tkt();
 	return (1);
+#else
+	return (0);
+#endif
 }
 #endif