pam-krb5 To-Do List

PAM API:

 * Support PAM_CHANGE_EXPIRED_AUTHTOK properly in pam_chauthtok.  This
   will require prompting for the current password (if it's not already
   available in the PAM data) and trying a regular authentication first to
   see if the account is expired.

 * Tighter verification that all of our flags are valid might be a good
   idea.

Functionality:

 * Find a way to do only PKINIT authentication with no password fallback
   with MIT Kerberos and then change the authentication flow so that both
   Heimdal and MIT use the same logic for attempting PKINIT first and then
   falling back to password.  This will fix failure to store passwords in
   the PAM data with try_pkinit and MIT Kerberos on password fallback and
   will allow implementation of use_pkinit for MIT.

Code Cleanup:

 * The PAM option parsing is repetitive code that involves counting the
   lengths of strings.  It should be possible to replace most of it with
   some carefully-chosen macros.

 * The PAM option parsing code could do a binary search on a table of
   option strings rather than checking each one in turn, although the
   performance and cleanliness gain may not be worth the effort.

 * The PKINIT code for Heimdal involves too many #ifdefs right now for my
   taste.  Find a way to restructure it to only wrap the main PKINIT
   function for Heimdal.

 * All of the option parsing code does not deal clealy with failure to
   allocate memory.  Generally, we just don't set the parameter.  This may
   not always be safe, or may lead to unexpected behavior.  We should
   always check memory allocation failures and abort PAM if we see any.
   Unfortunately, the profile library doesn't return errors on memory
   allocation failure, which makes this mostly futile until there's a
   better profile library API.

 * The current handling of error return codes is a mess.  We need to find
   a way to return a rich set of error codes from the underlying functions
   and then map error codes appropriately in the interface functions.
   Helpful for this would be improved documentation of what error codes
   are permitted and where.

Documentation:

 * Document PKINIT configuration with MIT in krb5.conf.  It looks like the
   library supports configuration in [realms] with similar names to the
   PAM module configuration.

 * Note the version number when options were added.  It helps people
   looking at the documentation on-line and writing portable
   configurations.

Tests:

 * Add support for running an automated test suite using a user-configured
   test account with a known password.

Portability:

 * If pam_modutil_getpwnam is not available but getpwnam_r is, roll our
   own using getpwnam_r.