pam_krb5 with PKINIT from Heimdal and MIT

Sam Hartman hartmans at MIT.EDU
Mon Oct 9 20:41:58 EDT 2006

>>>>> "Douglas" == Douglas E Engert <deengert at> writes:

    Douglas>  o Since the Heimdal default it to compile in pkinit, or
    Douglas> at least a stub for it, this pkinit code can be compiled
    Douglas> into pam_krb5 by default. I would hope the MIT code would
    Douglas> do something similar.

we can't do that.  Pkinit really needs to be a plugin for gpl reasons.
I think that also means that we need to have a way to provide
preauth-specific parameters to a plugin without defining
pkinit-specific things in krb5.h.  I think we run into GPL issues if
we do anything else.

Sam Hartman
Manager, Kerberos Team

More information about the krbdev mailing list