pam_krb5 with PKINIT from Heimdal and MIT
hartmans at MIT.EDU
Tue Oct 10 01:15:54 EDT 2006
>>>>> "Andrew" == Andrew Bartlett <abartlet at samba.org> writes:
Andrew> On Mon, 2006-10-09 at 20:41 -0400, Sam Hartman wrote:
>> >>>>> "Douglas" == Douglas E Engert <deengert at anl.gov> writes:
Douglas> o Since the Heimdal default it to compile in pkinit, or
Douglas> at least a stub for it, this pkinit code can be compiled
Douglas> into pam_krb5 by default. I would hope the MIT code would
Douglas> do something similar.
>> we can't do that. Pkinit really needs to be a plugin for gpl
>> reasons. I think that also means that we need to have a way to
>> provide preauth-specific parameters to a plugin without
>> defining pkinit-specific things in krb5.h. I think we run into
>> GPL issues if we do anything else.
Andrew> What are the 'GPL issues'?
Andrew> Linking GPL'ed PK-INIT code, or worried about loading
Andrew> binary-only PK-INIT plugin parts?
Neither, actually. We need to keep MIT krb5 GPL compatible. Which
means we cannot pull in openssl. It seems entirely fine for us to
distribute a plugin that is not GPL compatible provided of course that
GPL applications don't need to use it.
More information about the krbdev