On Thu, Nov 05, 2009 at 02:18:33PM -0800, Henry B. Hotz wrote:
> Couple of points:
>
> While I don't specifically advocate it, I note that Russ' pam_krb5 and the
> RedHat pam_krb5 both use configuration info in krb5.conf. I personally
> would think that's simpler, but probably less "pam-like".
Yes, I'm aware of that but Solaris pam_krb has not supported that up to
this point while it has supported pam.conf stanza line arguments which
is why I was leaning that direction for a password fallback option.
> I think you need an example of a smart-card-required configuration with
> pkinit-only pam_krb5 and fall-back to pam_pkcs11 if the network connection
> is down.
dtlogin auth sufficient pam_krb5.so.1
dtlogin auth sufficient pam_pkcs11.so.1
dtlogin auth required pam_unix_cred.so.1
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
