Subject: Re: BSD Authentication
To: Greywolf <email@example.com>
From: Simon J. Gerraty <firstname.lastname@example.org>
Date: 08/27/2003 22:17:38
>SJG> The more interesting aspect is the ability of radius and tacacs+ to
>SJG> communicate arbitrary attributes back to the client. Typically you
>SJG> then want a means of making these known to the real client process.
>Isn't this just the sort of thing that secure ipc/rpc would be suited to?
Instead of what? RADIUS? TACACS+? or the means of an authenticator
communicating with its client?
>If the stuff is NOT handled in kernel (well, to a degree, all auth
>will eventually tweak something in the kernel pertinent to [sre][ug]id/
I'm not talking about just authentication now. RADIUS et al, eventually
return a simple PASS/FAIL indicator so that bit could easily be handled
by the exit status of an authenticator. Its the essentially arbitrary
attribute=value pairs that can accompany the response that are interesting.
You could of course save the av pairs in a file, and have the client
process read that or use any other IPC mechanism, but storing everything
in the kernel isn't necessary or necessarily desirable.