[Fwd: kclient version 2 [PSARC/2007/401 FastTrack timeout 07/13/2007]]
Darren J Moffat
Darren.Moffat at sun.com
Tue Jul 17 10:01:40 PDT 2007
Shawn M. Emery wrote:
> Darren J Moffat wrote:
>> Shawn M. Emery wrote:
>>>> I think that setting up pam.conf to do one of the normal Kerberos
>>>> configurations is a key part of this project.
>>>>
>>>> My recommendation is that the kclient interface be quite high level eg:
>>>>
>>>> As per the pam_krb5(5) examples: first, only, optional are the
>>>> keywords here.
>>>
>>> I don't think the pam_krb5 examples are comprehensive enough. I may
>>> wish to authenticate through Kerberos _and_ through other additional
>>> modules.
>>
>> You don't need to provide every possible combination just the ones we
>> believe are the commonly used ones. For anything else pam.conf is
>> still an end admin editable policy file. I think the common ways of
>> using pam_krb5 are the ones listed in the current pam_krb5(5) man page
>> and would be a good start for kclient(1) to support.
>
> Ok, I'll leave "and" out if everyone one is happy with the current set:
>
> first
> only
> optional
>
> What if the qualifier is left out? "first" or fail?
Don't allow it to be left out, make it required.
--
Darren J Moffat
More information about the opensolaris-arc
mailing list