Porting Heimdal's libkafs to MIT Kerberos
Ken Hornstein
kenh at cmf.nrl.navy.mil
Sun Jan 11 11:20:26 EST 2004
>But this is true of assorted other applications which use your Kerberos
>credentials to obtain other 'tokens'. Having the Kerberos system
>binaries (and then _all_ means of login) support each and every one of
>these mechanisms really doesn't seem realistic.
*shrug* Well, I did it (years ago, in fact), and it works just fine.
>We ran into this issue using UMICH's kx509 stuff. Rather than add
>support for gaining kx509 credentials left, right and centre, we use a
>PAM module to get an X509 certificate for the user based on the contents
>of their ccache. By replacing 'kinit' with a pam enabled application, a
>user can gather all of the credentials they need in one operation.
>Adding additional services only requires new PAM modules, rather than
>extending core code.
That's great if PAM is an option for you. But PAM has poor OS coverage
at our shop; the time I spent extending the _applications_ (not the
core code) is less than the time I would have spent getting PAM
to work on those few systems that support it. I suspect that if I had
to add support for KX509, I'd just add it to aklog (icky as that
sounds).
--Ken
More information about the krbdev
mailing list