On Jan 25, 2005, at 11:09 PM, Emmanuel Dreyfus wrote:

> PAM doesn't only deal with passwords, that's why I ask. It also has
> hooks for opening and closing sessions. After adding support for PAM in
> su and login, no kerberos code remain at all. How is it different with
> sshd? Or did I removed things that needed to stay in su and login?

The complication here is that the SSH protocol itself has provisions 
for the Kerberos protocol.  I seem to recall that in SSHv2, the 
Kerberos (GSSAPI, really) credentials are used for transport re-keying, 
as well.

In programs like su(1) and login(1), Kerberos is out-of-band.  But it's 
really quite different for applications like ssh(1) and telnet(1).

-- thorpej