> What is the justification for trying to use this "fbtab replacment"
> as an extension for new authentication controls?  If you want to
> have more control over how authentication is done, I think that
> should be dealt with separately from the "fbtab replacment" on
> the grounds of orthogonality.  (Unless somebody can show a good
> reason why they should both be done by one mechanism - doubtful.)

Gordon,

Ahhh, now you're on territory that I am very familiar with.  But, please be
careful with terms.  It is very important to separate authentication from
authorization.  Authentication is the tast kf determining who a user is.
Login alone should be responsible for that.  Authorization determines what
get's done by who and how.  This whole thread is basically one of designing
a versitaille authorization engine for login.  Basically this callout is
taking the user's identity (authenticated by login) and performing a set of
tasks based on that identity, the location and anything else the callout
script wishes to use (time of day, phase of the moon, ...).  It would make
this much more powerful to simply add the ability for the callout script to
say "no, do not allow this user to continue", at which point they are
logged off.  If you want to get fancy, then I would allow the script to
also return ascii messages that could be presented to the user, if the
calling program (ie. login) was able to do so.

Dave