Does the development team have recommendation on pam_krb5?

Henry B. Hotz hotz at jpl.nasa.gov
Tue Feb 17 18:31:42 EST 2009 

FWIW I've have very good luck with Russ' pam_krb5.  I've had  
difficulty configuring the RedHat one.  The Sun one seems to be good  
but is a bit behind the curve.  (-: At least on Solaris 9! ;-)

I note that if you want to use one with smart cards, then I think  
Russ' pam_krb5 is currently the only option.  OpenSolaris is working  
on it, and will certainly deliver something sometime.

On Feb 14, 2009, at 9:10 AM, krbdev-request at mit.edu wrote:

> Message: 1
> Date: Fri, 13 Feb 2009 10:17:44 -0700
> From: "Glenn Machin" <gmachin at sandia.gov>
> Subject: Does the development team have recommendation on pam_krb5?
> To: "'krbdev at mit.edu'" <krbdev at mit.edu>
> Message-ID: <4995AB38.2080506 at sandia.gov>
> Content-Type: text/plain; charset=iso-8859-1; format=flowed
>
> From what I can tell there are 2 sources for pam_krb5.
>
> It is my understanding that Fedora/RedHat uses 2.2/2.3 version while
> Solaris 10, Ubunto/Debian use 3.X version maintained by Russ Allbery.
> From what I can tell they are divergent code branches.
>
> The 3.X version has some features that I don't see in the FC 2.3
> versions such as :
> http://www.eyrie.org/~eagle/software/pam-krb5/readme.html
>
>
>   1. PKINIT support
>   2. Kerberos principal name mapping:
>          * alt_auth_map,only_alt_auth
>          * expose_account
>          * search_k5login
>
>
> We have an environment where users are from multiple trusted realms so
> mapping is a necessity and in the future we will be using HSPD 12 PIV
> badges for authentication where PKINIT is important.
>
>
> So does the MIT development team have a pam_krb5 recommendation?
>
> Does anyone know if the Fedora/RH distribution will have these  
> features
> in the future?
>
>
> Finally is anyone working on plugin-in for krb5_aname_to_localname()?
> It would be nice to use LDAP  to obtain the mapping information.   The
> information is available in Active Directory through the
> altSecurityIdentities and it looks like the NFS4 work and University  
> of
> Michigan CITI,  idmapd.conf uses the LDAP attribute GSSAuthName.
>
>
> Thanks,
>
>    Glenn

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the krbdev mailing list