>I mean, this might be dumb, but why not have the kdc able to speak to
>pam modules directly?
All of those things are "send me a 2FA token and I will verify it".
(Also, the pam API really really wants to talk to a person, that's
the whole point of the "pam conversation" functions; I don't see how
On 10/8/21 7:45 AM, Ken Hornstein wrote:
>> I mean, this might be dumb, but why not have the kdc able to speak to
>> pam modules directly?
> Kerberos is "I am going to take your password which I already know,
> convert it into an encryption key, and use it to verify your Kerberos
> request". Kerb
