a suggestion for improving pkinit preauth plugin token choosing

Simo Sorce ssorce at redhat.com
Wed May 12 14:58:42 EDT 2010

On Wed, 12 May 2010 12:59:15 -0500
"Douglas E. Engert" <deengert at anl.gov> wrote:

> Simo Sorce wrote:
> > On Wed, 12 May 2010 10:50:33 -0500
> > Nicolas Williams <Nicolas.Williams at oracle.com> wrote:
> > 
> >> Second, this is a problem for PAM as well, and there there's no
> >> easy fix.  PAM and gic are the interfaces that we've got, I'm
> >> afraid. Giving up on doing the best we can with the interface we
> >> have because we can't get it to be perfect seems wrong to me;
> >> taking a detour to extend PAM would be wrong as well as that'd be
> >> a huge project.
> > 
> > Although fixing PAM is not in scope here, I would hope that the
> > interface can be chosen in a way that will not make it cumbersome to
> > use if someone comes up with something better than PAM in the
> > future.
> > 
> > PAM is really a problem and I wouldn't be surprised to see
> > alternatives cropping out soon.
> Is it time to rewrite the PAM standards?

Certainly my desktop pals would like me to try to. :-)

> According to:
> http://en.wikipedia.org/wiki/Pluggable_Authentication_Modules
> PAM came from Sun, X/OPen now the Open Group further developed
> it and Red Hat had the first Linux-PAM. There is now the XSSO and
> OpenPAM too.
> This mail list has many of parties involved...

Yes, but PAM seem a bit off-topic here, I just wanted to remind that
PAM may not be the only consumer long term.


Simo Sorce * Red Hat, Inc * New York

More information about the krbdev mailing list