Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch

Frank Cusack fcusack at
Fri May 16 10:27:19 EST 2003

On Fri, May 16, 2003 at 10:14:01AM +1000, Damien Miller wrote:
> (Though I think the brokenness [of PAM] starts with the standard and
> not any one implementation.)

The PAM standard is not broken.  Attempts to fit it into something it
isn't are what's broken.

People always complain that protocol x,y,z are broken.  Sometimes that's
correct.  Many times, it's just that it doesn't quite do what they want
it to do, and because they have to shoehorn they claim that the protocol
itself is broken.

In the PAM case, it is my firm belief that it is quite well done.  PAM
is designed for telnet style, single-thread-of-execution authentications.

What's broken is ssh password authentication, not PAM.


More information about the openssh-unix-dev mailing list