Henry B. Hotz wrote: > > On Mar 6, 2008, at 10:12 AM, Darren J Moffat wrote: > >> Henry B. Hotz wrote: >>> Second (or is that tenth?). ;-) >>> Also want pam_krb5 to be configurable to require a smart card with >>> PKINIT. >> >> For info in PKINIT ask on kerberos-discuss at opensolaris.org. >> >> > Then a plausible use case is to put both in as sufficient. >> > (Then we worry about whether we can get rid of everything that >> *doesn't* >> > use a smart card.) >> >> Why would you use both a pam_krb5 that is ware of PKINIT and pam_pkcs11? > > Well, it's probably not as big a deal if it's not a laptop. You want > pam_krb5+PKINIT, but if the network is down you still want to be able to > log in with the same smart card.
I realised that just after I hit Send that that was the case you were probably considering. Thanks for confirming though. -- Darren J Moffat
