Re: ITP Heimdal (Kerberos 5)
>>>>> "Marco" == Marco d'Itri <firstname.lastname@example.org> writes:
Marco> On Dec 24, Brian May <email@example.com> wrote:
>> Heimdal comes with a PAM module, too, however, I haven't worked
Marco> Then do we really need the servers like telnetd? Using pam
Marco> would be much nicer.
True Kerberos authentication requires cooperation both from the client
and server (except for local logins via /bin/login). The client needs
to submit its ticket to the server, instead of the user manually
entering a password.
I am remain unconvinced that PAM can do this. I think you need to use
GSSAPI for this, but so far I don't know of any other Debian packages
that use GSSAPI. Some Heimdal packages use GSSAPI (eg ftp). Most
however, talk to Kerberos directly. In theory, it should be possible
to implement GSSAPI for any security protocol you can think of, both
in the client and the server.
Brian May <firstname.lastname@example.org>