[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pam_krb5 with PKINIT from Heimdal and MIT





Sam Hartman wrote:

>>>>>>"Douglas" == Douglas E Engert <deengert@anl.gov> writes:
> 
> 
>     Douglas>  o Since the Heimdal default it to compile in pkinit, or
>     Douglas> at least a stub for it, this pkinit code can be compiled
>     Douglas> into pam_krb5 by default. I would hope the MIT code would
>     Douglas> do something similar.
> 
> 
> we can't do that.  Pkinit really needs to be a plugin for gpl reasons.

I understand. But what I am asking is what code can be in pam_krb5 to
tell your libraries to load a plugin?  The Heimdal code adds
one extra routine, krb5_get_init_creds_opt_set_pkinit. With the MIT code
if the plugin was not available a routine like this could return an error.

> I think that also means that we need to have a way to provide
> preauth-specific parameters to a plugin without defining
> pkinit-specific things in krb5.h. 

OK, then generalize by having a krb5_get_init_creds_opt_set_plugin,
instead, and pass it character string parameters, that could have been
passed as options to pam_krb5 or found in krb5.conf.

> I think we run into GPL issues if
> we do anything else.
> 
> Sam Hartman
> Manager, Kerberos Team
> 
> _______________________________________________
> krbdev mailing list             krbdev@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444