issue with preauth processing
Nicolas Williams
Nicolas.Williams at sun.com
Mon Oct 26 14:44:18 EDT 2009
On Mon, Oct 26, 2009 at 02:39:26PM -0400, Sam Hartman wrote:
> >>>>> "Will" == Will Fiveash <William.Fiveash at sun.com> writes:
> Will> But consider pam_krb5 and prompting. There may be
> Will> situations where pam_krb5 wants to restrict libkrb and it's
> Will> preauth plugins to only PKINIT and it's associated prompts.
> Will> How can that be done?
>
> I don't think we have an API for that today. (I'm also not entirely
> convinced that libpam-krb5 should do this.) I do think such an API
> would be reasonable in some cases--for example the s4u case.
Sam, I think pam_krb5 should be doing something else, yes, but, in
Solaris we have other constraints that prevent us from doing something
better.
Nico
--
More information about the krbdev
mailing list