Does the development team have recommendation on pam_krb5?

Henry B. Hotz hotz at
Tue Feb 17 18:31:42 EST 2009

FWIW I've have very good luck with Russ' pam_krb5.  I've had  
difficulty configuring the RedHat one.  The Sun one seems to be good  
but is a bit behind the curve.  (-: At least on Solaris 9! ;-)

I note that if you want to use one with smart cards, then I think  
Russ' pam_krb5 is currently the only option.  OpenSolaris is working  
on it, and will certainly deliver something sometime.

On Feb 14, 2009, at 9:10 AM, krbdev-request at wrote:

> Message: 1
> Date: Fri, 13 Feb 2009 10:17:44 -0700
> From: "Glenn Machin" <gmachin at>
> Subject: Does the development team have recommendation on pam_krb5?
> To: "'krbdev at'" <krbdev at>
> Message-ID: <4995AB38.2080506 at>
> Content-Type: text/plain; charset=iso-8859-1; format=flowed
> From what I can tell there are 2 sources for pam_krb5.
> It is my understanding that Fedora/RedHat uses 2.2/2.3 version while
> Solaris 10, Ubunto/Debian use 3.X version maintained by Russ Allbery.
> From what I can tell they are divergent code branches.
> The 3.X version has some features that I don't see in the FC 2.3
> versions such as :
>   1. PKINIT support
>   2. Kerberos principal name mapping:
>          * alt_auth_map,only_alt_auth
>          * expose_account
>          * search_k5login
> We have an environment where users are from multiple trusted realms so
> mapping is a necessity and in the future we will be using HSPD 12 PIV
> badges for authentication where PKINIT is important.
> So does the MIT development team have a pam_krb5 recommendation?
> Does anyone know if the Fedora/RH distribution will have these  
> features
> in the future?
> Finally is anyone working on plugin-in for krb5_aname_to_localname()?
> It would be nice to use LDAP  to obtain the mapping information.   The
> information is available in Active Directory through the
> altSecurityIdentities and it looks like the NFS4 work and University  
> of
> Michigan CITI,  idmapd.conf uses the LDAP attribute GSSAuthName.
> Thanks,
>    Glenn

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list