pam_krb5 with PKINIT from Heimdal and MIT

Fri Oct 13 13:17:13 EDT 2006

On Fri, Oct 13, 2006 at 11:29:05AM -0500, Douglas E. Engert wrote:
> Nicolas Williams wrote:
> > On Fri, Oct 13, 2006 at 09:52:02AM -0500, Douglas E. Engert wrote:
> 
> Keep you options open here there may be pre-auths in the future that
> require both. It could also be which OTP to use: SecureID, Cryptocard...
> There moght be a conversion going on....

I thought I did.  I covered all the major sorts of pre-auth methods that
have been proposed, and I covered migration.

> > PAM supports that.
> 
> I know.
> Its a hint to those verdors like *Sun* to do this in *your* pam_krb5.

Ah, hint taken.

> > So?  PAM modules can prompt for a principal name if they like.
> 
> Hint, again...

As an option it'd be fine.  Of course, there must be a way to decide
that the principal name that the user gave is authorized to login to the
given account, too.  I am guessing krb5_kuserok() would be your
suggestion.

> > Yup.  But you could get rid of pam_authtok_get if you like.
> 
> Another hint, to you to get Sun to look at your pam stack and
> pam_krb5.

We are.

Nico
-- 