Darren J Moffat wrote: > Wyllys Ingersoll wrote: >> Gary Winiger wrote: >> >>> My personal recommendation: Develop a pam_pkinit (or similarly >>> named) module >>> with a separate man page. Have that man page describe the interactions >>> between pam_pkinit and pam_krb5. >>> >>> Thanks for the extra time, >>> Gary.. >> >> >> Will F is on vacation for a bit longer. I believe the main reason he >> did not >> want to create a new module was that it would result in an almost >> identical >> body of code. Perhaps the existing pam_krb5 tree can be refactored or >> the build process could be modified so that the 2 modules (should he >> choose >> to take your advice) share a common body of code except for the places >> where the logic differs for standard krb5 vs pkinit. > > Hence my suggestion of keeping pam_krb5 as is and using a pkinit module > option. > > I personally think this is a perfect use case for module options and I > think that in the long run having two separate modules will actually > turned out to be a problem. So I would prefer a pkinit module option, > that should be trivial to implement. >
I would be OK with adding options in this case as well. Having the options visible in the pam.conf would make it obvious to the admin that the 2 instances in the stack have different uses and would, I think, address Gary's concern about confusion over having 2 pam_krb5 entries in the same stack. -Wyllys
