> I may be being a bit naïve here myself, since I haven't had any technical
> experience of Assent yet, but why not do this through PAM, which seems to
> fall through to further mechanisms quite successfully, rather than GSS?
> Or am I missing something?
I think that if you wind up using PAM underneath SSH, then the GSS initiator endpoint is on the SSH server, so the SSH server needs to know your credential (ie: username + password). With GSS as part of the SSH client, the GSS initiator endpoint is on your local machine, so the SSH server never learns your credential at all.
(Though I've never set up the PAM mechanism, so I don't have experience of this. I'm happy to be corrected.)
--Mark
|