a suggestion for improving pkinit preauth plugin token choosing

Simo Sorce ssorce at redhat.com
Wed May 12 13:40:56 EDT 2010

On Wed, 12 May 2010 10:50:33 -0500
Nicolas Williams <Nicolas.Williams at oracle.com> wrote:

> Second, this is a problem for PAM as well, and there there's no easy
> fix.  PAM and gic are the interfaces that we've got, I'm afraid.
> Giving up on doing the best we can with the interface we have because
> we can't get it to be perfect seems wrong to me; taking a detour to
> extend PAM would be wrong as well as that'd be a huge project.

Although fixing PAM is not in scope here, I would hope that the
interface can be chosen in a way that will not make it cumbersome to
use if someone comes up with something better than PAM in the future.

PAM is really a problem and I wouldn't be surprised to see
alternatives cropping out soon.


Simo Sorce * Red Hat, Inc * New York

More information about the krbdev mailing list