[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


From: Russ Allbery
Subject: Re: PAM vs GSSAPI?
Date: Tue, 20 Mar 2007 17:43:04 -0700
User-agent: Gnus/5.110006 (No Gnus v0.6) XEmacs/21.4.19 (linux)

Simon Josefsson <address@hidden> writes:

> It may be possible to implement a PAM module that calls GSS-API
> functions to perform the host login, but I don't recall seeing anyone
> doing that.  For example, while I don't really know for sure, I think
> that all the Kerberos 5 PAM modules use native krb5 APIs instead of
> GSS-API.  Your security architecture is equivalent to krb5 from this
> conceptual point of view.

So far as I can tell, it's not possible to obtain initial credentials with
a password purely through the GSS-API.  I only see gss_acquire_cred, which
isn't sufficient.  So yes, I'm fairly sure that all Kerberos PAM modules
use native Kerberos calls.

Russ Allbery (address@hidden)             <>

reply via email to

[Prev in Thread] Current Thread [Next in Thread]