On Mar 6, 2008, at 10:12 AM, Darren J Moffat wrote: > Henry B. Hotz wrote: >> Second (or is that tenth?). ;-) >> Also want pam_krb5 to be configurable to require a smart card with >> PKINIT. > > For info in PKINIT ask on kerberos-discuss at opensolaris.org. > > > Then a plausible use case is to put both in as sufficient. > > (Then we worry about whether we can get rid of everything that > *doesn't* > > use a smart card.) > > Why would you use both a pam_krb5 that is ware of PKINIT and > pam_pkcs11?
Well, it's probably not as big a deal if it's not a laptop. You want pam_krb5+PKINIT, but if the network is down you still want to be able to log in with the same smart card. ------------------------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
