pam-krb5 To-Do List PAM API: * Support PAM_CHANGE_EXPIRED_AUTHTOK properly in pam_chauthtok. This will require prompting for the current password (if it's not already available in the PAM data) and trying a regular authentication first to see if the account is expired. * Tighter verification that all of our flags are valid might be a good idea. Functionality: * Find a way to do only PKINIT authentication with no password fallback with MIT Kerberos and then change the authentication flow so that both Heimdal and MIT use the same logic for attempting PKINIT first and then falling back to password. This will fix failure to store passwords in the PAM data with try_pkinit and MIT Kerberos on password fallback and will allow implementation of use_pkinit for MIT. Code Cleanup: * The PAM option parsing is repetitive code that involves counting the lengths of strings. It should be possible to replace most of it with some carefully-chosen macros. * The PAM option parsing code could do a binary search on a table of option strings rather than checking each one in turn, although the performance and cleanliness gain may not be worth the effort. * The PKINIT code for Heimdal involves too many #ifdefs right now for my taste. Find a way to restructure it to only wrap the main PKINIT function for Heimdal. * All of the option parsing code does not deal clealy with failure to allocate memory. Generally, we just don't set the parameter. This may not always be safe, or may lead to unexpected behavior. We should always check memory allocation failures and abort PAM if we see any. Unfortunately, the profile library doesn't return errors on memory allocation failure, which makes this mostly futile until there's a better profile library API. * The current handling of error return codes is a mess. We need to find a way to return a rich set of error codes from the underlying functions and then map error codes appropriately in the interface functions. Helpful for this would be improved documentation of what error codes are permitted and where. Documentation: * Document PKINIT configuration with MIT in krb5.conf. It looks like the library supports configuration in [realms] with similar names to the PAM module configuration. * Note the version number when options were added. It helps people looking at the documentation on-line and writing portable configurations. Tests: * Add support for running an automated test suite using a user-configured test account with a known password. Portability: * If pam_modutil_getpwnam is not available but getpwnam_r is, roll our own using getpwnam_r.