pam_krb5 with PKINIT from Heimdal and MIT
Nicolas.Williams at sun.com
Fri Oct 13 13:17:13 EDT 2006
On Fri, Oct 13, 2006 at 11:29:05AM -0500, Douglas E. Engert wrote:
> Nicolas Williams wrote:
> > On Fri, Oct 13, 2006 at 09:52:02AM -0500, Douglas E. Engert wrote:
> Keep you options open here there may be pre-auths in the future that
> require both. It could also be which OTP to use: SecureID, Cryptocard...
> There moght be a conversion going on....
I thought I did. I covered all the major sorts of pre-auth methods that
have been proposed, and I covered migration.
> > PAM supports that.
> I know.
> Its a hint to those verdors like *Sun* to do this in *your* pam_krb5.
Ah, hint taken.
> > So? PAM modules can prompt for a principal name if they like.
> Hint, again...
As an option it'd be fine. Of course, there must be a way to decide
that the principal name that the user gave is authorized to login to the
given account, too. I am guessing krb5_kuserok() would be your
> > Yup. But you could get rid of pam_authtok_get if you like.
> Another hint, to you to get Sun to look at your pam stack and
More information about the krbdev