pam-krb5 To-Do List PAM API: * Support PAM_CHANGE_EXPIRED_AUTHTOK properly in pam_chauthtok. This will require prompting for the current password (if it's not already available in the PAM data) and trying a regular authentication first to see if the account is expired. * Tighter verification that all of our flags are valid might be a good idea. Code Cleanup: * The PAM option parsing is repetitive code that involves counting the lengths of strings. It should be possible to replace most of it with some carefully-chosen macros. * The PAM option parsing code could do a binary search on a table of option strings rather than checking each one in turn, although the performance and cleanliness gain may not be worth the effort. * The PKINIT code for Heimdal involves too many #ifdefs right now for my taste. Find a way to restructure it to only wrap the main PKINIT function for Heimdal. * All of the option parsing code does not deal clealy with failure to allocate memory. Generally, we just don't set the parameter. This may not always be safe, or may lead to unexpected behavior. We should always check memory allocation failures and abort PAM if we see any. Unfortunately, the profile library doesn't return errors on memory allocation failure, which makes this mostly futile until there's a better profile library API. * The current handling of error return codes is a mess. We need to find a way to return a rich set of error codes from the underlying functions and then map error codes appropriately in the interface functions. Helpful for this would be improved documentation of what error codes are permitted and where. Documentation: * Document PKINIT configuration with MIT in krb5.conf. It looks like the library supports configuration in [realms] with similar names to the PAM module configuration. * Reorganize the man page to group options into categories. The number of options right now is intimidating and confusing and makes it hard to find relevant options. PAM API behavior, prompting behavior, PKINIT, and ticket flags might be useful option groups. * Note the version number when options were added. It helps people looking at the documentation on-line and writing portable configurations. Tests: * Add support for running an automated test suite using a user-configured test account with a known password. Portability: * If pam_modutil_getpwnam is not available but getpwnam_r is, roll our own using getpwnam_r.