Re: ITP: pam-krb5
> > pam-krb5 does exactly the same thing as kinit, which is precisely why it
> > should not be used for authenticating network services, because in the
> > Kerberos model kinit should only ever be run on the user's local machine.
> right. I see now.
This thread reminds me of the Socratean dialog which was somewhere in the
Keberos documentation to describe the design of the protocol. It might be
to include it in the pam-krb5 documentation.
PAM and Kerberos are both powerful and subtle tools, and it would be great to
see everything PAMified and Kerberised, but the dialog in this thread is a very
lucid explanation of the potential dangers of applying both together without
understanding what is going on.