[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Behavioural differences in Heimdal and MIT [was: Re: APIdifferences between Heimdal and MIT]

To: "Douglas E. Engert" <deengert@anl.gov>
Subject: Re: Behavioural differences in Heimdal and MIT [was: Re: APIdifferences between Heimdal and MIT]
From: Juha =?ISO-8859-15?B?SuR5a2vk?= <juhaj@iki.fi>
Date: Wed, 15 Feb 2006 22:03:53 +0200
Cc: "Henry B. Hotz" <hotz@jpl.nasa.gov>, Gabor Gombas <gombasg@sztaki.hu>, Buck Huppmann <buckh@pobox.com>, heimdal-discuss@sics.se
In-reply-to: <43F37ABF.10502@anl.gov>
Organization: University of Turku
References: <20060202161753.20c37c47@noether.tfy.utu.fi><20060202154540.GC23653@boogie.lpds.sztaki.hu><20060202181813.6789e137@alnitak.stiff.utu.fi><20060213213951.GA19694@dsl092-173-085.wdc2.dsl.speakeasy.net><B70BAE77-700D-47A5-8DA7-DAB6E7F6A487@jpl.nasa.gov><20060215105246.GC20234@boogie.lpds.sztaki.hu><CB2788BF-987B-4401-8B19-3E417CD6ADEC@jpl.nasa.gov> <43F37ABF.10502@anl.gov>
Sender: owner-heimdal-discuss@sics.se

> > (required  or sufficient).  pam_afs *should* only be a session module 
> > to get the  token and set the PAG, but that may only work on Solaris.
> There is a pam_afs2 that uses the newly obtained or forwarded Kerberos 5
> ticket of the user to get the token, and set the PAG.

Douglas is being too modest here. =) It's his software and as a user, I
need to give a small testimonial: it's vastly superior to all the other
alternatives I've been able to find. I only have tested it on linuxes,
though, so I cannot say how well it works on other OSs. Perhaps Doug can
tell that? At least the Makefile contains entries for other OSes, too.

And, to give Doug's work further advertisement, it can actually get the
token and PAG from any step during the PAM process: pam_sm_authenticate,
pam_sm_setcred and pam_sm_open_session. It will of course clean up at
pam_sm_close_session.

> And providing alternatives to the .k5login for mapping principals to
> accounts sounds like a good thing to have, as it could give the local
> admin better control over the use of accounts.

The thing MIT does that Buck Huppmann reported sounded very nice, if a bit
cryptic to configure.

-- 
		 -----------------------------------------------
		| Juha Jäykkä, juolja@utu.fi			|
		| home: http://www.utu.fi/~juolja/		|
		 -----------------------------------------------

PGP signature

References:
- API differences between Heimdal and MIT
  - From: Juha Jäykkä <juhaj@iki.fi>
- Re: API differences between Heimdal and MIT
  - From: Gabor Gombas <gombasg@sztaki.hu>
- Behavioural differences in Heimdal and MIT [was: Re: API differencesbetween Heimdal and MIT]
  - From: Juha =?ISO-8859-15?B?SuR5a2vk?= <juhaj@iki.fi>
- Re: Behavioural differences in Heimdal and MIT [was: Re: API differences between Heimdal and MIT]
  - From: Buck Huppmann <buckh@pobox.com>
- Re: Behavioural differences in Heimdal and MIT [was: Re: API differences between Heimdal and MIT]
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: Behavioural differences in Heimdal and MIT [was: Re: API differences between Heimdal and MIT]
  - From: Gabor Gombas <gombasg@sztaki.hu>
- Re: Behavioural differences in Heimdal and MIT [was: Re: API differences between Heimdal and MIT]
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: Behavioural differences in Heimdal and MIT [was: Re: API differencesbetween Heimdal and MIT]
  - From: "Douglas E. Engert" <deengert@anl.gov>

Prev by Date: Re: Behavioural differences in Heimdal and MIT [was: Re: API differencesbetween Heimdal and MIT]
Next by Date: Re: Behavioural differences in Heimdal and MIT [was: Re: API differences between Heimdal and MIT]
Prev by thread: Re: Behavioural differences in Heimdal and MIT [was: Re: API differencesbetween Heimdal and MIT]
Next by thread: Re: Behavioural differences in Heimdal and MIT [was: Re: API differences between Heimdal and MIT]
Index(es):
- Date
- Thread