So if some users use K5 password and others use PKINIT you would put pam_krb5 in twice?
How would you e.g. require PKINIT for root but not users in general? On Oct 22, 2009, at 6:16 PM, Will Fiveash wrote: > Be aware that the current OpenSolaris PAM framework typically relies > on > the pam_authtok_get module to prompt for the password. OpenSolaris > pam_krb5 must follow this module currently as it relies on it for the > password. This is the reason I'm suggesting that if pam_krb5 is > stacked > above pam_authtok_get it would assume it should try PKINT only. Given > this I don't seen the need for another config parameter like > try_pkinit. ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
