a suggestion for improving pkinit preauth plugin token choosing

Will Fiveash will.fiveash at oracle.com
Wed May 12 14:07:46 EDT 2010

On Wed, May 12, 2010 at 12:59:15PM -0500, Douglas E. Engert wrote:
> Simo Sorce wrote:
> > On Wed, 12 May 2010 10:50:33 -0500
> > Nicolas Williams <Nicolas.Williams at oracle.com> wrote:
> > 
> >> Second, this is a problem for PAM as well, and there there's no easy
> >> fix.  PAM and gic are the interfaces that we've got, I'm afraid.
> >> Giving up on doing the best we can with the interface we have because
> >> we can't get it to be perfect seems wrong to me; taking a detour to
> >> extend PAM would be wrong as well as that'd be a huge project.
> > 
> > Although fixing PAM is not in scope here, I would hope that the
> > interface can be chosen in a way that will not make it cumbersome to
> > use if someone comes up with something better than PAM in the future.
> > 
> > PAM is really a problem and I wouldn't be surprised to see
> > alternatives cropping out soon.
> Is it time to rewrite the PAM standards?
> According to:
> http://en.wikipedia.org/wiki/Pluggable_Authentication_Modules
> PAM came from Sun, X/OPen now the Open Group further developed
> it and Red Hat had the first Linux-PAM. There is now the XSSO and
> OpenPAM too.
> This mail list has many of parties involved...

O.K. I'll go ahead and create PAM++ as a side effect of modifying
pkinit's token choosing algorithm.  8^)

(sorry, couldn't help myself)
Will Fiveash
Note my new work e-mail address: will.fiveash at oracle.com
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/

More information about the krbdev mailing list