On Tue, Apr 23, 2002 at 01:58:50PM -0400, Nick M. Williams wrote: > > Simon's patches for OpenSSH use PAM. I believe the Solaris telnetd and > friends do as well, yes, even with kerberos-authenticated clients. The > key is to either not bother calling pam_authenticate() (the user *is* > authenticated already) or call it but use a PAM_SERVICE name configured > to just return PAM_SUCCESS immediately from pam_authenticate().
> And the point of this is that kerberized network daemons can use > pam_setcred() to share a clients' credentials with interested > modules, such as AFS PAM modules, say. :) -- So long as they don't use the return value from pam_setcred() in deciding whether to grant access to a service when the user has already been authenticated through a mechanism other than PAM. Steve Langasek postmodern programmer ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos