Subject: Re: Centralized User and Password Management
To: NetBSD Users <netbsd-users@NetBSD.org>
From: Tillman Hodgson <tillman@seekingfire.com>
List: netbsd-users
Date: 11/28/2004 16:52:47
On Sun, Nov 28, 2004 at 01:17:03PM -0800, John Nemeth wrote:
> On Apr 17, 12:30pm, Tillman Hodgson wrote:
> } 
> } As I said, PAM allows the odd app or two that might be preventing
> } Kerberizing an environment completely to still work. It's a stop-gap
> } measure until those legacy services can be properly migrated.
> 
>      I don't view PAM as a stop-gap at all.  The idea behind PAM is
> that applications don't have to know anything about the myriad ways of
> authenticating.  They just have to know PAM and PAM will take care of
> the work of authenticating for them.

PAM only addresses the server side of authentication. For example, one
of the powerful features of Kerberos is ticket forwarding. It requires
the client application understand Kerberos (or GSSAPI) well enough to
actually forward the cached credentials rather than a username &
password. A server-side-only PAM module won't provide features like
this. This, in a Kerberos environment, pam_krb5 is a stop-gap measure.

I like PAM. However, pam_krb5 doesn't do what you seem to think it does
;-)

-T


-- 
Why look for meaning where there is none?  Would you follow a path you know 
leads nowhere?
	- Query of the Mentat School