Subject: Re: PAM and su -K
To: Jason Thorpe <email@example.com>
From: Thor Lancelot Simon <firstname.lastname@example.org>
Date: 01/16/2005 14:49:41
On Sun, Jan 16, 2005 at 11:18:21AM -0800, Jason Thorpe wrote:
> On Jan 16, 2005, at 10:22 AM, Emmanuel Dreyfus wrote:
> >No, because offering theses will cause us problems with PAM. We already
> >have enough with -K which is already there.
> My point was to show the flaw in Thor's argument in favor of -K. Let
> me put it another way: If we're going to special-case Kerberos, then
> why not every other authentication mechanism? And if we're going to
What you think is a "flaw" is actually, to me, the most persuasive point
of the argument: extensive prior experience on many parts shows that
the authentication delay resulting from Kerberos failures can significantly
frustrate efforts to repair them. su -K is a special case *specifically
because a need for it has been demonstrated in the past*.
If you've seen YP or Hesiod failures regularly cause the same problem, I
think you could reasonably make a case that similar options should exist
for them; but the Kerberos problem is real, observed (semi-regularly)
in the wild, and su -K is a solution precisely fit to it.