[kmf-discuss] PSARC 2006/283 Certificate & PKCS#11 PAM, module
Nicolas Williams
Nicolas.Williams at sun.com
Fri Apr 4 12:53:54 PDT 2008
On Fri, Apr 04, 2008 at 08:19:31PM +0100, Darren J Moffat wrote:
> > This project introduces additional configuration *beyond* pam.conf.
>
> and there is precedence in other cases where PAM modules have config
> files that are text and not in SMF. Those other cases are not even that
> old (and post date the introduction of SMF) - I've already given at
> least one of them.
Given that the case has been derailed I think this is now OT, and I will
resist further comment until TCRs/TCAs are proposed, but this one I
can't resist :)
One example of such a PAM module's config file is krb5.conf(4).
No, kclient(1M) is NOT a complete administrative interface to
krb5.conf(4) -- just a partial one, and about as good as it's going to
get.
pam.conf(4) is complex. I think it's fair to assume and allow the
configuration of PAM modules to be similarly complex. Not because "hey,
if we allow if for pam.conf we ought to allow it for the modules too"
but because when it comes to security technologies like Kerberos V and
PKI, RADIUS, ..., there really are a lot of options, and lots of
context-specific ones too. I'm not arguing for any sort of general get
out of jail free feature for PAM modules, rather that *this* module's
i-team should get a get out of jail free card.
Nico
--
More information about the opensolaris-arc
mailing list