Solaris ssh pam_krb

Ken Hornstein kenh at
Fri Mar 31 13:27:49 EST 2006

>I have lots of uses for PAGs besides tracking krb5 tix.  I don't want a
>PAG-like item per-such use.  I want a daemon (least priv and all that)
>that tracks PAG<->{whatever} associations.

I'm curious ... why do you want a userspace daemon to be involved?  I think
you could simplify things by making a complete kernel-only implementation.
I know that gssd is userspace, but that's obviously because it would suck
to cram the whole Kerberos and GSS libraries into the kernel.  If it's
just "associate this processes tree with this cookie", then it would be
simpler (I think) to make the whole thing kernel-only.

(I am personally not worried about the API; I'm sure whatever the API ends
up being, it will be fine.  It's the implementation that concerns me).


More information about the Kerberos mailing list