pam_krb5 with PKINIT from Heimdal and MIT
Jeffrey Hutzelman
jhutz at cmu.edu
Fri Oct 13 13:27:30 EDT 2006
On Friday, October 13, 2006 09:52:02 AM -0500 "Douglas E. Engert"
<deengert at anl.gov> wrote:
> The way PAM works today i.e. get a username and password
> then call all the pam routines one at a time with the same password
That's not how PAM works. It is up to individual PAM modules to request
that the application prompt the user for a username, password, or other
data. The framework provides a mechanism (the PAM_USER and PAM_AUTHTOK
items) for caching and reusing the previously-entered username and/or
password when appropriate, but it is up to individual modules to decide
when to do this. For many modules, this behavior is controlled by the
pam_first_pass and pam_try_first options.
-- Jeff
More information about the krbdev
mailing list