Re: ITP: pam-krb5

To: "Sean 'Shaleh' Perry" <shaleh@valinux.com>
Cc: Steve Langasek <vorlon@netexpress.net>, debian-devel@lists.debian.org
Subject: Re: ITP: pam-krb5
From: John Lines <john@paladin.demon.co.uk>
Date: Sat, 18 Nov 2000 10:09:49 +0000
Message-id: <[🔎] 200011181009.eAIA9nH15726@paladin.demon.co.uk>
In-reply-to: Message from "Sean 'Shaleh' Perry" <shaleh@valinux.com> of "Thu, 16 Nov 2000 15:55:51 PST." <[🔎] XFMail.20001116155551.shaleh@valinux.com>
References: <[🔎] XFMail.20001116155551.shaleh@valinux.com>

> > 
> > pam-krb5 does exactly the same thing as kinit, which is precisely why it
> > should not be used for authenticating network services, because in the
> > Kerberos model kinit should only ever be run on the user's local machine.
> > 
> 
> right. I see now.
> 
> 
This thread reminds me of the Socratean dialog which was somewhere in the 
original
Keberos documentation to describe the design of the protocol. It might be 
useful
to include it in the pam-krb5 documentation.

PAM and Kerberos are both powerful and subtle tools, and it would be great to
see everything PAMified and Kerberised, but the dialog in this thread is a very
lucid explanation of the potential dangers of applying both together without
understanding what is going on.

John Lines

Reply to:

References:
- RE: ITP: pam-krb5
  - From: "Sean 'Shaleh' Perry" <shaleh@valinux.com>

Prev by Date: Re: women in debian
Next by Date: xconsole eats up RAM (a LOT)
Previous by thread: RE: ITP: pam-krb5
Next by thread: Re: ITP: pam-krb5
Index(es):
- Date
- Thread