>> PAM is regularly abused by people deploying LDAP and Kerberos and is used improperly.
> Uh, well, something has to get the initial TGT, it might as well be PAM. For applications that
> don't support SASL or GSSAPI, there aren't any better options (which gets us back to the fact
> that more apps should have GSSAPI support, for both AD and non-AD).
Would you mind going into a little more detail there? I thought the point of PAM is so that every
application does not individually have to implement a horde of
authentication/authorisation/session management/password changing APIs themselves...