On Jun 18,  2:12am, Love wrote:
} manu@NetBSD.org (Emmanuel Dreyfus) writes:
} > Roland Dowdeswell <elric@imrryr.org> wrote:
} >
} >> We also need to resurrect the protocol 1 krb5 and protocol 2 krb5
} >> support which OpenSSH removed.  I've been planning to do this when
} >> I get a chance, but the chance has been taking a while to show up.
} >
} > How does that interract with PAM introduction? Does kerberos support all
} > goes in PAM, or will we have bits remaining in sshd?
} 
} There will remain krb5 bits in sshd for legacy Kerberos protocol support,
} those part that doesn't deal with password but rather the kerberos protocol
} itself.

     I don't know much about how the Kerberos protocol works.  However,
I would like to point out that it is a fallacy that PAM only handles
passwords.  PAM can make its authentication decision based on anything
the module writer wants.  Some examples would be smart cards and
biometric devices.  With these, the application would call
pam_authenticate(), the module would poll the appropriate device, and
if it likes what it sees, it would then return saying the user was
authenticated without ever asking the user for a password.  An
alternative would be that a smart card module could ask the user for a
key to use to decrypt the private key on the smart card.  I don't know
if there is some way that the Kerberos module could interact with the
client without bothering the user.  It may be that there is no sane way
for a ticket to be passed without the server being involved.

}-- End of excerpt from Love