Subject: Re: PAM and su -K
To: Jason Thorpe <>
From: Thor Lancelot Simon <>
List: tech-userlevel
Date: 01/16/2005 14:49:41
On Sun, Jan 16, 2005 at 11:18:21AM -0800, Jason Thorpe wrote:
> On Jan 16, 2005, at 10:22 AM, Emmanuel Dreyfus wrote:
> >No, because offering theses will cause us problems with PAM. We already
> >have enough with -K which is already there.
> My point was to show the flaw in Thor's argument in favor of -K.  Let 
> me put it another way: If we're going to special-case Kerberos, then 
> why not every other authentication mechanism?  And if we're going to 

What you think is a "flaw" is actually, to me, the most persuasive point
of the argument: extensive prior experience on many parts shows that
the authentication delay resulting from Kerberos failures can significantly
frustrate efforts to repair them.  su -K is a special case *specifically
because a need for it has been demonstrated in the past*.

If you've seen YP or Hesiod failures regularly cause the same problem, I
think you could reasonably make a case that similar options should exist
for them; but the Kerberos problem is real, observed (semi-regularly)
in the wild, and su -K is a solution precisely fit to it.