[19779] in Kerberos

home help back first fref pref prev next nref lref last post

Re: apache & Kerberos

daemon@ATHENA.MIT.EDU (Sam Hartman)
Thu Aug 7 17:52:05 2003

To: John Rudd <jrudd@ucsc.edu>
From: Sam Hartman <hartmans@MIT.EDU>
Date: Thu, 07 Aug 2003 17:42:36 -0400
In-Reply-To: <3F317A4C.9F679F8E@ucsc.edu> (John Rudd's message of "Wed, 06
 Aug 2003 14:59:40 -0700")
Message-ID: <tsloez1rvoz.fsf@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu

>>>>> "John" == John Rudd <jrudd@ucsc.edu> writes:

    John> Frank Cusack wrote:
    >> 
    >> On Tue, 5 Aug 2003 16:40:22 +0000 (UTC) hartmans@mit.edu (Sam Hartman) wrote:
    >> > It seems kind of unfortunate that you're combining these two
    >> modules.  > It seems that I'd really rather use PAM or
    >> pubcookie for my password > auth and then GSS-based stuff for
    >> native Kerberos.
    >> 
    >> At the risk of just doing a 'me too', I agree.  These should be
    >> different modules.  They do completely different things.
    >> 

    John> I'll provide a dissenting opinion.

    John> I've had many problems with PAM modules here (under Solaris
    John> 8).  Having a setup with an application or server/service
    John> that can handle something like username+password
    John> authentication against an external authentication service,
    John> while the underlying OS remains completely ignorant, is not
    John> just "fine with me", it is an attractive feature.  Here,
    John> they're grouped by relevence to kerberos as the external
    John> authentication service, whether it's auth via kerb ticket or
    John> auth via kerb principle+passphrase.


I understand that not everyone has PAM and that sometimes PAM does not
work that well.  So I understand that some people will want a module
to do Kerberos auth given a password.

However it seems that module really shares no code at all with the
GSSAPI module other than a few utility functions.  I can understand
being available from the same source base or maintained by the same
people.  But I can't really understand being part of the same Apache
dso.

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post