a suggestion for improving pkinit preauth plugin token choosing
Will Fiveash
will.fiveash at oracle.com
Wed May 12 14:07:46 EDT 2010
On Wed, May 12, 2010 at 12:59:15PM -0500, Douglas E. Engert wrote:
>
>
> Simo Sorce wrote:
> > On Wed, 12 May 2010 10:50:33 -0500
> > Nicolas Williams <Nicolas.Williams at oracle.com> wrote:
> >
> >> Second, this is a problem for PAM as well, and there there's no easy
> >> fix. PAM and gic are the interfaces that we've got, I'm afraid.
> >> Giving up on doing the best we can with the interface we have because
> >> we can't get it to be perfect seems wrong to me; taking a detour to
> >> extend PAM would be wrong as well as that'd be a huge project.
> >
> > Although fixing PAM is not in scope here, I would hope that the
> > interface can be chosen in a way that will not make it cumbersome to
> > use if someone comes up with something better than PAM in the future.
> >
> > PAM is really a problem and I wouldn't be surprised to see
> > alternatives cropping out soon.
>
> Is it time to rewrite the PAM standards?
>
> According to:
> http://en.wikipedia.org/wiki/Pluggable_Authentication_Modules
> PAM came from Sun, X/OPen now the Open Group further developed
> it and Red Hat had the first Linux-PAM. There is now the XSSO and
> OpenPAM too.
>
> This mail list has many of parties involved...
O.K. I'll go ahead and create PAM++ as a side effect of modifying
pkinit's token choosing algorithm. 8^)
(sorry, couldn't help myself)
--
Will Fiveash
Oracle
Note my new work e-mail address: will.fiveash at oracle.com
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/
More information about the krbdev
mailing list