pam_krb5 with PKINIT from Heimdal and MIT

Sam Hartman hartmans at MIT.EDU
Tue Oct 10 01:15:54 EDT 2006

>>>>> "Andrew" == Andrew Bartlett <abartlet at> writes:

    Andrew> On Mon, 2006-10-09 at 20:41 -0400, Sam Hartman wrote:
    >> >>>>> "Douglas" == Douglas E Engert <deengert at> writes:
    Douglas> o Since the Heimdal default it to compile in pkinit, or
    Douglas> at least a stub for it, this pkinit code can be compiled
    Douglas> into pam_krb5 by default. I would hope the MIT code would
    Douglas> do something similar.
    >> we can't do that.  Pkinit really needs to be a plugin for gpl
    >> reasons.  I think that also means that we need to have a way to
    >> provide preauth-specific parameters to a plugin without
    >> defining pkinit-specific things in krb5.h.  I think we run into
    >> GPL issues if we do anything else.

    Andrew> What are the 'GPL issues'?

    Andrew> Linking GPL'ed PK-INIT code, or worried about loading
    Andrew> binary-only PK-INIT plugin parts?

Neither, actually.  We need to keep MIT krb5 GPL compatible.  Which
means we cannot pull in openssl.  It seems entirely fine for us to
distribute a plugin that is not GPL compatible provided of course that
GPL applications don't need to use it.


More information about the krbdev mailing list