>>
>> Well, we do have gss_acquire_cred_with_password() (same as Solaris).
>> This will be supported for applications that want to do things that
>> way.
>
> Yes, that'll likely work well enough for GSS-EAP.
It depends on the EAP mechanism. If you're doing client certificate authentication, it's probably not the right interface. However it's easy to create another interface on top of set_cred_option() (at least, once we change the prototype to enable us to return a credential; see gss_krb5_import_cred() in users/lhoward/import-cred branch of MIT).
> If you do go down that route, do keep in mind that PAM is a good
> anti-pattern for how to do prompting APIs...
We can pass that comment onto the person that ends up implementing that ;-)
-- Luke
|