Wyllys Ingersoll wrote: > Darren J Moffat wrote: >> Wyllys Ingersoll wrote: >>> Gary Winiger wrote: >>> >>>> My personal recommendation: Develop a pam_pkinit (or similarly >>>> named) module >>>> with a separate man page. Have that man page describe the interactions >>>> between pam_pkinit and pam_krb5. >>>> >>>> Thanks for the extra time, >>>> Gary.. >>> >>> Will F is on vacation for a bit longer. I believe the main reason he >>> did not >>> want to create a new module was that it would result in an almost >>> identical >>> body of code. Perhaps the existing pam_krb5 tree can be refactored or >>> the build process could be modified so that the 2 modules (should he >>> choose >>> to take your advice) share a common body of code except for the places >>> where the logic differs for standard krb5 vs pkinit. >> Hence my suggestion of keeping pam_krb5 as is and using a pkinit module >> option. >> >> I personally think this is a perfect use case for module options and I >> think that in the long run having two separate modules will actually >> turned out to be a problem. So I would prefer a pkinit module option, >> that should be trivial to implement. >> > > I would be OK with adding options in this case as well. Having the options > visible in the pam.conf would make it obvious to the admin that the > 2 instances in the stack have different uses and would, I think, address > Gary's concern about confusion over having 2 pam_krb5 entries in the > same stack.
Indeed, the difference is syntax more than anything else eg: other auth required pam_krb5.so pkinit versus other auth required pam_krb5_pkinit.so White space versus an underscore. I like module options, when used properly, and to me this is a perfect case of proper use of a module option. The code for password based versus PKINIT based Kerberos authentication is in the very high 90% range of common code, in fact it is pretty much just a flag to a lower level API. Gary however seems to prefer a separate module with the common code factored into a library. -- Darren J Moffat
