Porting Heimdal's libkafs to MIT Kerberos

Ken Hornstein kenh at cmf.nrl.navy.mil
Sun Jan 11 11:20:26 EST 2004

>But this is true of assorted other applications which use your Kerberos 
>credentials to obtain other 'tokens'. Having the Kerberos system 
>binaries (and then _all_ means of login) support each and every one of 
>these mechanisms really doesn't seem realistic.

*shrug* Well, I did it (years ago, in fact), and it works just fine.

>We ran into this issue using UMICH's kx509 stuff. Rather than add 
>support for gaining kx509 credentials left, right and centre, we use a 
>PAM module to get an X509 certificate for the user based on the contents 
>of their ccache. By replacing 'kinit' with a pam enabled application, a 
>user can gather all of the credentials they need in one operation. 
>Adding additional services only requires new PAM modules, rather than 
>extending core code.

That's great if PAM is an option for you.  But PAM has poor OS coverage
at our shop; the time I spent extending the _applications_ (not the
core code) is less than the time I would have spent getting PAM
to work on those few systems that support it.  I suspect that if I had
to add support for KX509, I'd just add it to aklog (icky as that


More information about the krbdev mailing list