On Thu, Oct 22, 2009 at 11:36:03PM -0400, Henry B. Hotz wrote: > So if some users use K5 password and others use PKINIT you would put > pam_krb5 in twice?
Yes. > How would you e.g. require PKINIT for root but not users in general? That can not be done with the current Solaris PAM implementation and will not be addressed by this pam_krb5 enhancement. > On Oct 22, 2009, at 6:16 PM, Will Fiveash wrote: > > > Be aware that the current OpenSolaris PAM framework typically relies on > > the pam_authtok_get module to prompt for the password. OpenSolaris > > pam_krb5 must follow this module currently as it relies on it for the > > password. This is the reason I'm suggesting that if pam_krb5 is stacked > > above pam_authtok_get it would assume it should try PKINT only. Given > > this I don't seen the need for another config parameter like try_pkinit. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ Sent from mutt, a sweet ASCII MUA
