--Apple-Mail-10-894366607
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; format=flowed


On Jan 16, 2005, at 10:22 AM, Emmanuel Dreyfus wrote:

> No, because offering theses will cause us problems with PAM. We already
> have enough with -K which is already there.

My point was to show the flaw in Thor's argument in favor of -K.  Let 
me put it another way: If we're going to special-case Kerberos, then 
why not every other authentication mechanism?  And if we're going to 
special-case the authentication mechanisms, then why not the user 
lookup mechanism, using the same argument?  And if we're going to do it 
for su, then why not for every other application on the system?

> Why was su -K introduced, BTW?

Good question.  Note that I have not encountered any other system that 
has it.  Looks like it originates in the Heimdal su (which we do not 
use; instead, the NetBSD su was adapted for Kerberos).  I am not aware 
of the MIT Krb5 su having the same flag.  Note that the NetBSD su is 
flag-incompatible with the Heimdal su in other ways.

         -- Jason R. Thorpe <thorpej@shagadelic.org>


--Apple-Mail-10-894366607
content-type: application/pgp-signature; x-mac-type=70674453;
	name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD4DBQFB6r4BOpVKkaBm8XkRAgBuAJjehgfV6zhbrbUf+poZwHcv3wHMAJ42z8/4
2YOz5B3Pd3aNGiEfZA7mNg==
=3tRB
-----END PGP SIGNATURE-----

--Apple-Mail-10-894366607--