Does the development team have recommendation on pam_krb5?
Glenn Machin
gmachin at sandia.gov
Fri Feb 13 12:17:44 EST 2009
From what I can tell there are 2 sources for pam_krb5.
It is my understanding that Fedora/RedHat uses 2.2/2.3 version while
Solaris 10, Ubunto/Debian use 3.X version maintained by Russ Allbery.
From what I can tell they are divergent code branches.
The 3.X version has some features that I don't see in the FC 2.3
versions such as :
http://www.eyrie.org/~eagle/software/pam-krb5/readme.html
1. PKINIT support
2. Kerberos principal name mapping:
* alt_auth_map,only_alt_auth
* expose_account
* search_k5login
We have an environment where users are from multiple trusted realms so
mapping is a necessity and in the future we will be using HSPD 12 PIV
badges for authentication where PKINIT is important.
So does the MIT development team have a pam_krb5 recommendation?
Does anyone know if the Fedora/RH distribution will have these features
in the future?
Finally is anyone working on plugin-in for krb5_aname_to_localname()?
It would be nice to use LDAP to obtain the mapping information. The
information is available in Active Directory through the
altSecurityIdentities and it looks like the NFS4 work and University of
Michigan CITI, idmapd.conf uses the LDAP attribute GSSAuthName.
Thanks,
Glenn
More information about the krbdev
mailing list