Subject: Re: PAM and su -K
To: Emmanuel Dreyfus <manu@netbsd.org>
From: Jason Thorpe <thorpej@shagadelic.org>
List: tech-userlevel
Date: 01/16/2005 11:18:21
--Apple-Mail-10-894366607
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; format=flowed
On Jan 16, 2005, at 10:22 AM, Emmanuel Dreyfus wrote:
> No, because offering theses will cause us problems with PAM. We already
> have enough with -K which is already there.
My point was to show the flaw in Thor's argument in favor of -K. Let
me put it another way: If we're going to special-case Kerberos, then
why not every other authentication mechanism? And if we're going to
special-case the authentication mechanisms, then why not the user
lookup mechanism, using the same argument? And if we're going to do it
for su, then why not for every other application on the system?
> Why was su -K introduced, BTW?
Good question. Note that I have not encountered any other system that
has it. Looks like it originates in the Heimdal su (which we do not
use; instead, the NetBSD su was adapted for Kerberos). I am not aware
of the MIT Krb5 su having the same flag. Note that the NetBSD su is
flag-incompatible with the Heimdal su in other ways.
-- Jason R. Thorpe <thorpej@shagadelic.org>
--Apple-Mail-10-894366607
content-type: application/pgp-signature; x-mac-type=70674453;
name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD4DBQFB6r4BOpVKkaBm8XkRAgBuAJjehgfV6zhbrbUf+poZwHcv3wHMAJ42z8/4
2YOz5B3Pd3aNGiEfZA7mNg==
=3tRB
-----END PGP SIGNATURE-----
--Apple-Mail-10-894366607--