>>>>> "Ken" == Ken Hornstein <[EMAIL PROTECTED]> writes:
>> Currently I'm using SSH with GSSAPI and pam_krb5 support. In
>> /etc/profile (and/or pam config for ssh) I'm getting the AFS
>> token, so it's possible to use AFS as home when doing
>> interactive logins with SSH.
Ken> But if you're doing GSSAPI, then pam is never being invoked,
Ken> right? Are users typing cleartext passwords inside of ssh?
No, the setcred, account and session steps still get called.
I have a PAM module that calls aklog -setpag for the Debian AFS stuff.
IT avoids me having to have Kerberos depend on AFS.
Unfortunately MIT's ftpd and login.krb5 are not PAM aware. We've
received a patch to add this support; the author of the patch was
given commit access, but hasn't gotten around to integrating changes.
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos
