>> I am aware of no widely deployed Kerberos applications without >> authorization support. > >pam_krb5?
You have to be in the Unix password file for pam_krb5 to give you access to a machine. At least, any pam_krb5 implementation I've ever seen works that way. And assuming you could login as host/some.machine ... what Unix account would that map to, anyway? I think you will find nearly all Kerberos/GSSAPI applications have some form of authorization; the one I can think of that doesn't is the sendmail implementation of SMTP AUTH; in that particular case, the general configuration I've seen is that the success of SMTP AUTH allows you to use that SMTP server for relaying; it doesn't check for a particular principal. But that would certainly be simple to add. --Ken
