apache & Kerberos
hartmans at MIT.EDU
Thu Aug 7 17:42:36 EDT 2003
>>>>> "John" == John Rudd <jrudd at ucsc.edu> writes:
John> Frank Cusack wrote:
>> On Tue, 5 Aug 2003 16:40:22 +0000 (UTC) hartmans at mit.edu (Sam Hartman) wrote:
>> > It seems kind of unfortunate that you're combining these two
>> modules. > It seems that I'd really rather use PAM or
>> pubcookie for my password > auth and then GSS-based stuff for
>> native Kerberos.
>> At the risk of just doing a 'me too', I agree. These should be
>> different modules. They do completely different things.
John> I'll provide a dissenting opinion.
John> I've had many problems with PAM modules here (under Solaris
John> 8). Having a setup with an application or server/service
John> that can handle something like username+password
John> authentication against an external authentication service,
John> while the underlying OS remains completely ignorant, is not
John> just "fine with me", it is an attractive feature. Here,
John> they're grouped by relevence to kerberos as the external
John> authentication service, whether it's auth via kerb ticket or
John> auth via kerb principle+passphrase.
I understand that not everyone has PAM and that sometimes PAM does not
work that well. So I understand that some people will want a module
to do Kerberos auth given a password.
However it seems that module really shares no code at all with the
GSSAPI module other than a few utility functions. I can understand
being available from the same source base or maintained by the same
people. But I can't really understand being part of the same Apache
More information about the Kerberos