On Thu, Nov 25, 2004 at 04:52:39PM -0500, Greg A. Woods wrote:
> [ On Wednesday, November 24, 2004 at 10:43:29 (-0600), Tillman Hodgson wrote: ]
> > Subject: Re: Centralized User and Password Management
> >
> > If NetBSD /did/ support PAM, that makes many Kerberos things much
> > easier (although using "native" Kerberos services instead is vastly
> > preferred).
> 
> That's a very false economy.  IIUC Kerberos is already integrated into
> everything that needs it (though for add-on software there may be
> special compile-time configuration needd) and PAM would only open more
> holes.

I'm not sure I agree.

Kerberos only works "properly" if you Kerberize your entire environment.
This is often difficult and cases folks to avoid Kerberos because of a
unusual app or two. PAM allows those apps to be accommodated.

Naturally, PAM adds another layer of software that could potentially
have holes. Using native Kerberos services is, indeed, vastly preferred.

But I'll take a Kerberized environment with a single app requiring a PAM
shim over environments that use SSH for remote shells and clear-text
POP3 for mail checks any day ;-)

-T


-- 
"The mind is not a vessel to be filled but a fire to be kindled."
    -- Plutarch (45 - 125 A.D. Greek Writer & Lecturer)