pam_krb5 with PKINIT from Heimdal and MIT

Sam Hartman hartmans at MIT.EDU
Tue Oct 10 13:12:05 EDT 2006

>>>>> "Douglas" == Douglas E Engert <deengert at> writes:

    Douglas> Sam Hartman wrote:

    >>>>>>> "Douglas" == Douglas E Engert <deengert at> writes:
    Douglas> o Since the Heimdal default it to compile in pkinit, or
    Douglas> at least a stub for it, this pkinit code can be compiled
    Douglas> into pam_krb5 by default. I would hope the MIT code would
    Douglas> do something similar.
    >> we can't do that.  Pkinit really needs to be a plugin for gpl
    >> reasons.

    Douglas> I understand. But what I am asking is what code can be in
    Douglas> pam_krb5 to tell your libraries to load a plugin?  The
    Douglas> Heimdal code adds one extra routine,
    Douglas> krb5_get_init_creds_opt_set_pkinit. With the MIT code if
    Douglas> the plugin was not available a routine like this could
    Douglas> return an error.

Well, we can't call it that. But I do think we can have a routine in
the main API for specifying options to a preauth plugin.


More information about the krbdev mailing list