pam_krb5 with PKINIT from Heimdal and MIT
Andrew Bartlett
abartlet at samba.org
Tue Oct 10 01:22:26 EDT 2006
On Tue, 2006-10-10 at 01:15 -0400, Sam Hartman wrote:
> >>>>> "Andrew" == Andrew Bartlett <abartlet at samba.org> writes:
>
> Andrew> On Mon, 2006-10-09 at 20:41 -0400, Sam Hartman wrote:
> >> >>>>> "Douglas" == Douglas E Engert <deengert at anl.gov> writes:
> >>
> Douglas> o Since the Heimdal default it to compile in pkinit, or
> Douglas> at least a stub for it, this pkinit code can be compiled
> Douglas> into pam_krb5 by default. I would hope the MIT code would
> Douglas> do something similar.
> >>
> >>
> >> we can't do that. Pkinit really needs to be a plugin for gpl
> >> reasons. I think that also means that we need to have a way to
> >> provide preauth-specific parameters to a plugin without
> >> defining pkinit-specific things in krb5.h. I think we run into
> >> GPL issues if we do anything else.
>
> Andrew> What are the 'GPL issues'?
>
> Andrew> Linking GPL'ed PK-INIT code, or worried about loading
> Andrew> binary-only PK-INIT plugin parts?
>
> Neither, actually. We need to keep MIT krb5 GPL compatible. Which
> means we cannot pull in openssl. It seems entirely fine for us to
> distribute a plugin that is not GPL compatible provided of course that
> GPL applications don't need to use it.
Ahh, the OpenSSL boogieman. For Samba4, I really, really appreciate the
work that Heimdal did for an OpenSSL-free build. :-)
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu.ezproxyberklee.flo.org/pipermail/krbdev/attachments/20061010/63182713/attachment.bin
More information about the krbdev
mailing list