Initial Auth Realm Fall-back
Shawn M Emery
shawn.emery at oracle.com
Tue Aug 20 02:02:35 EDT 2013
On 08/19/13 02:44 PM, Russ Allbery wrote:
> "Henry B. Hotz" <hotz at jpl.nasa.gov> writes:
>> Shouldn't the fallback option be in [appdefaults] instead?
> Not if you want it to affect every library caller, which sounded like the
> goal (so that it would affect kinit and any gic application).
Yes, that was an additional goal over the current pam_krb5 solution.
>> For the specific case of all the realms satisfying the NIST 800-63
>> constraints on cross-realm relationships I think it's OK. (From memory:
>> that's all realms under the same administrative control, and all
>> usernames synchronized, but don't hold me to it.)
> If you have cross-realm, it's not at all clear that you would need this.
> I expect it to be the most useful for client-side pseudo-merging of
> multiple realms where you *don't* have cross-realm.
Sorry, the realm names in the example should have not implied any form
of hierarchy.
Shawn.
--
More information about the krbdev
mailing list