Russ Allbery <[EMAIL PROTECTED]> writes: > Simon Josefsson <[EMAIL PROTECTED]> writes: > >> It may be possible to implement a PAM module that calls GSS-API >> functions to perform the host login, but I don't recall seeing anyone >> doing that. For example, while I don't really know for sure, I think >> that all the Kerberos 5 PAM modules use native krb5 APIs instead of >> GSS-API. Your security architecture is equivalent to krb5 from this >> conceptual point of view. > > So far as I can tell, it's not possible to obtain initial credentials with > a password purely through the GSS-API. I only see gss_acquire_cred, which > isn't sufficient. So yes, I'm fairly sure that all Kerberos PAM modules > use native Kerberos calls.
Ah, right. I recalled some GSS-API extensions for initial acquisition, but I guess they were never implemented widely. It might have been a better approach, though. But maybe there are other things that pam_krb5 do which isn't possible to do via GSS-API? /Simon _______________________________________________ Help-gss mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gss
