man: fix default value for pam_passkey_auth #7227
Conversation
ikerexxe
added
passkey
There was a problem hiding this comment.
Hi,
thanks, now the man page matches the code at https://github.com/SSSD/sssd/blob/master/src/responder/pam/pamsrv.c#L52, ACK.
bye,
Sumit
|
Why is 'pam_passkey_auth = true' but 'pam_cert_auth = false' by default? I'm also not sure about 'Fixes: commit-hash' notation - script that prepares release notes most probably won't like it. |
The default was changed to true in c76ba34 ("PAM: Passkey kerberos preauth support"), but the man page wasn't updated. Signed-off-by: Iker Pedrosa <[email protected]>
No idea 😅
I changed it, thanks for the feedback. |
Why do we want 'passkey_auth' enabled by default? Doesn't this trigger additional steps in krb pre-auth for users who doesn't use passkey? |
No, you'd still need to enable passkey authentication per user ( |
It's enough to have it enabled locally to have additional pre-auth step: https://issues.redhat.com/browse/RHEL-21786?focusedId=24266630&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-24266630 Besides this being visible in the logs (and thus rendering questions) this probably (? I don't know) adds some latency. |
Hi, Smartcard authentication isn't enabled by default because checking the presence of a Smartcard might cause delays in the order of a few seconds for every authentication attempt. HTH bye, |
The default was changed to true, but the man page wasn't updated.
Fixes: c76ba34