Subject: Re: PAM
To: NetBSD Kernel Technical Discussion List <tech-kern@NetBSD.ORG>
From: Greg A. Woods <>
List: tech-kern
Date: 09/24/2002 16:57:53
[ On Tuesday, September 24, 2002 at 15:54:08 (-0400), Ken Hornstein wrote: ]
> Subject: Re: PAM 
> Let me apply this to the AFS example to make it clearer.
> In the AFS world, I need to add to the user's process two groups to
> the front of the group list (They're really an index into a kernel table
> that holds the Kerberos credentials).  To do this I call a special AFS
> system call that does the right magic for me.  After I do that, I need
> to call another AFS system call to place the Kerberos ticket into the
> kernel so that the AFS client can use it.  This is non-negotiable; it's
> the way AFS works (I don't want to get into the long explanation WHY
> it's this way right now; just trust me on this one).

Ah, well, that's a broken-by-design API, and is not a fault of AFS per se.

Besides, even with such a broken API, PAM is not the only solution here,
nor are these client/server and message-passing authentication models.
Such narrow views of the solution space will not accomplish anything
positive here.

> How do I do this via a message-passing interface?

Well, first you fix the API.  Probably this means adding a new set of
system calls and proc-level data structures, and then fixing whatever in
the other side of the AFS implementation makes use of these data.

								Greg A. Woods

+1 416 218-0098;            <>;           <>
Planix, Inc. <>; VE3TCP; Secrets of the Weird <>