[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


From: Simon Josefsson
Subject: Re: PAM vs GSSAPI?
Date: Wed, 21 Mar 2007 12:29:20 +0100
User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.95 (gnu/linux)

Russ Allbery <address@hidden> writes:

> Simon Josefsson <address@hidden> writes:
>> It may be possible to implement a PAM module that calls GSS-API
>> functions to perform the host login, but I don't recall seeing anyone
>> doing that.  For example, while I don't really know for sure, I think
>> that all the Kerberos 5 PAM modules use native krb5 APIs instead of
>> GSS-API.  Your security architecture is equivalent to krb5 from this
>> conceptual point of view.
> So far as I can tell, it's not possible to obtain initial credentials with
> a password purely through the GSS-API.  I only see gss_acquire_cred, which
> isn't sufficient.  So yes, I'm fairly sure that all Kerberos PAM modules
> use native Kerberos calls.

Ah, right.  I recalled some GSS-API extensions for initial
acquisition, but I guess they were never implemented widely.  It might
have been a better approach, though.  But maybe there are other things
that pam_krb5 do which isn't possible to do via GSS-API?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]