On Mon, Jan 21, 2002 at 01:55:53PM -0800, Terry Lambert wrote:
> "Jacques A. Vidrine" wrote:
> > > In the way that the author of the PAM architecture from Sun
> > > spoke at the Silicon Valley BSD User's Group meeting,
> > Do you have a reference, or do we have to guess what you are talking
> > about? :-)
> I have my memory of the talk he gave, which included the idea
> that Sun was not supporting work to modify the PAM architecture
> to support Kerberos in the future.
The PAM architecture doesn't need any modifications to support
Kerberos. It supports Kerberos today.
> Basically, you can use it for authentication and password change,
> but for little else, and even those uses require going through
> incredible hoops (e.g. abusing the authentication module API to
> implement a credential cache).
> Did you need more?
I guess so. There are many Kerberos 5 PAM modules in existence today,
and they support interactive authentication pretty well. There is
even some agreement among the authors of related modules on how the
credentials cache can be exported for stacking (e.g. for DCE). I
can't imagine what `incredible hoops' or `abuse' you might be talking
The PAM API already includes entry points specificially for the
management of credentials.
Put another way, in your first sentence above, what might you mean by
`for little else'?
> Are you really just fishing for Paul Fronberg's email address?
No. I'm probably just wasting my time :-) You have stood up and asked
for something, but have not given any indication of what it is you
want to accomplish. Curiousity has the better of me.
> Maybe this release note from HP will explain the limitations
> NB: This is just for authentication, mostly preauthentication.
These seem to be limitations of HP's pam_krb5 module, not of PAM. And
again, it is unclear what limitations you might be concerned about.
No account management? Well, that's not Kerberos's job. No
credentials management? That's a problem with HP's implementation --
see /usr/ports/security/pam_krb5 or pam_krb5 in our base system (they
are closely related) for one way it can be done. Limited
preauthentication choices? That has to do with the Kerberos
implementation, not PAM.
I feel like I'm having my leg pulled.
Jacques A. Vidrine <[EMAIL PROTECTED]> http://www.nectar.cc/
NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos
[EMAIL PROTECTED] . [EMAIL PROTECTED] . [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message