Does the development team have recommendation on pam_krb5?

Glenn Machin gmachin at
Fri Feb 13 12:17:44 EST 2009

 From what I can tell there are 2 sources for pam_krb5.

It is my understanding that Fedora/RedHat uses 2.2/2.3 version while 
Solaris 10, Ubunto/Debian use 3.X version maintained by Russ Allbery.   
 From what I can tell they are divergent code branches.  

The 3.X version has some features that I don't see in the FC 2.3 
versions such as :

   1. PKINIT support
   2. Kerberos principal name mapping:
          * alt_auth_map,only_alt_auth
          * expose_account
          * search_k5login

We have an environment where users are from multiple trusted realms so 
mapping is a necessity and in the future we will be using HSPD 12 PIV 
badges for authentication where PKINIT is important.

So does the MIT development team have a pam_krb5 recommendation?

Does anyone know if the Fedora/RH distribution will have these features 
in the future?

Finally is anyone working on plugin-in for krb5_aname_to_localname()?   
It would be nice to use LDAP  to obtain the mapping information.   The 
information is available in Active Directory through the 
altSecurityIdentities and it looks like the NFS4 work and University of 
Michigan CITI,  idmapd.conf uses the LDAP attribute GSSAuthName.



More information about the krbdev mailing list