>>>>> "Ben" == Ben Collins <firstname.lastname@example.org> writes:
>> shadow sucks. I use Kerberos or LDAP whenever I can. Both
>> protocols lend themselves much better to PAM-integration, btw.
Ben> That's the most ignorant statement I have seen in awhile. So
I agree. The implication (admittedly it may have been taken out of
context, I don't have the original message to check) is that the
Kerberos PAM module is good for all types of authentication.
Wrong! It is only really suitable for
a) initial login to local computer (first step in Kerberos protocol).
b) screen savers run from the local computer (where authenticating via a ticket
stored on the hard disk is not appropriate).
Otherwise, you are not using the Kerberos protocol, but only a simple
password protocol, that just happens to use a Kerberos database
instead of /etc/passwd, /etc/shadow, NIS or LDAP.
The only way you can get the full benefit of Kerberos is if programs
are rewritten to support it, either directly or via GSSAPI or SASL.
Brian May <email@example.com>