[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Behavioural differences in Heimdal and MIT [was: Re: APIdifferences between Heimdal and MIT]

> > (required  or sufficient).  pam_afs *should* only be a session module 
> > to get the  token and set the PAG, but that may only work on Solaris.
> There is a pam_afs2 that uses the newly obtained or forwarded Kerberos 5
> ticket of the user to get the token, and set the PAG.

Douglas is being too modest here. =) It's his software and as a user, I
need to give a small testimonial: it's vastly superior to all the other
alternatives I've been able to find. I only have tested it on linuxes,
though, so I cannot say how well it works on other OSs. Perhaps Doug can
tell that? At least the Makefile contains entries for other OSes, too.

And, to give Doug's work further advertisement, it can actually get the
token and PAG from any step during the PAM process: pam_sm_authenticate,
pam_sm_setcred and pam_sm_open_session. It will of course clean up at

> And providing alternatives to the .k5login for mapping principals to
> accounts sounds like a good thing to have, as it could give the local
> admin better control over the use of accounts.

The thing MIT does that Buck Huppmann reported sounded very nice, if a bit
cryptic to configure.

		| Juha Jäykkä, juolja@utu.fi			|
		| home: http://www.utu.fi/~juolja/		|

PGP signature