apache & Kerberos

Sam Hartman hartmans at MIT.EDU
Thu Aug 7 17:42:36 EDT 2003

>>>>> "John" == John Rudd <jrudd at ucsc.edu> writes:

    John> Frank Cusack wrote:
    >> On Tue, 5 Aug 2003 16:40:22 +0000 (UTC) hartmans at mit.edu (Sam Hartman) wrote:
    >> > It seems kind of unfortunate that you're combining these two
    >> modules.  > It seems that I'd really rather use PAM or
    >> pubcookie for my password > auth and then GSS-based stuff for
    >> native Kerberos.
    >> At the risk of just doing a 'me too', I agree.  These should be
    >> different modules.  They do completely different things.

    John> I'll provide a dissenting opinion.

    John> I've had many problems with PAM modules here (under Solaris
    John> 8).  Having a setup with an application or server/service
    John> that can handle something like username+password
    John> authentication against an external authentication service,
    John> while the underlying OS remains completely ignorant, is not
    John> just "fine with me", it is an attractive feature.  Here,
    John> they're grouped by relevence to kerberos as the external
    John> authentication service, whether it's auth via kerb ticket or
    John> auth via kerb principle+passphrase.

I understand that not everyone has PAM and that sometimes PAM does not
work that well.  So I understand that some people will want a module
to do Kerberos auth given a password.

However it seems that module really shares no code at all with the
GSSAPI module other than a few utility functions.  I can understand
being available from the same source base or maintained by the same
people.  But I can't really understand being part of the same Apache

More information about the Kerberos mailing list