[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pam_krb5 with PKINIT from Heimdal and MIT
Sam Hartman wrote:
>>>>>>"Douglas" == Douglas E Engert <email@example.com> writes:
> Douglas> o Since the Heimdal default it to compile in pkinit, or
> Douglas> at least a stub for it, this pkinit code can be compiled
> Douglas> into pam_krb5 by default. I would hope the MIT code would
> Douglas> do something similar.
> we can't do that. Pkinit really needs to be a plugin for gpl reasons.
I understand. But what I am asking is what code can be in pam_krb5 to
tell your libraries to load a plugin? The Heimdal code adds
one extra routine, krb5_get_init_creds_opt_set_pkinit. With the MIT code
if the plugin was not available a routine like this could return an error.
> I think that also means that we need to have a way to provide
> preauth-specific parameters to a plugin without defining
> pkinit-specific things in krb5.h.
OK, then generalize by having a krb5_get_init_creds_opt_set_plugin,
instead, and pass it character string parameters, that could have been
passed as options to pam_krb5 or found in krb5.conf.
> I think we run into GPL issues if
> we do anything else.
> Sam Hartman
> Manager, Kerberos Team
> krbdev mailing list firstname.lastname@example.org
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439