On Mon, May 09, 2005 at 08:53:21AM -0700, Damian Sobieralski wrote: > > PAM does not map well to Kerberos, unfortunately. Generally speaking > > you want to avoid PAM with Kerberos if you can possibly use native > > Kerberos > > :-) > > It seems my ignorance is kicking in here- how would they log into the > machine first, to issue "kinit"/native if I don't use PAM to get them > INTO the machine?
Using Kerberos-native login binaries, for example. Once logged in, connecting to other hosts is done using Kerberos-native applications like telnet -x, SSH with GSSAPI, etc. A well-written PAM module can also work here, but generally should be avoided for network services. The problem is that PAM basically assumes a username/password pair. Kerberos doesn't give you that with network services. > I just modified the /etc/pam.d/sshd file (only using kerberos for > sshd): Look into the GSSAPI options for /etc/ssh/ssh_config instead. Newer OpenSSH versions support Kerberos natively and don't need PAM hacks. -T -- Laws to suppress tend to strengthen what they would prohibit. This is the fine point on which all the legal professions of history have based their job security. - Bene Gesserit Coda _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"