Subject: Re: PAM
To: NetBSD Kernel Technical Discussion List <tech-kern@NetBSD.ORG>
From: Greg A. Woods <email@example.com>
Date: 09/24/2002 16:57:53
[ On Tuesday, September 24, 2002 at 15:54:08 (-0400), Ken Hornstein wrote: ]
> Subject: Re: PAM
> Let me apply this to the AFS example to make it clearer.
> In the AFS world, I need to add to the user's process two groups to
> the front of the group list (They're really an index into a kernel table
> that holds the Kerberos credentials). To do this I call a special AFS
> system call that does the right magic for me. After I do that, I need
> to call another AFS system call to place the Kerberos ticket into the
> kernel so that the AFS client can use it. This is non-negotiable; it's
> the way AFS works (I don't want to get into the long explanation WHY
> it's this way right now; just trust me on this one).
Ah, well, that's a broken-by-design API, and is not a fault of AFS per se.
Besides, even with such a broken API, PAM is not the only solution here,
nor are these client/server and message-passing authentication models.
Such narrow views of the solution space will not accomplish anything
> How do I do this via a message-passing interface?
Well, first you fix the API. Probably this means adding a new set of
system calls and proc-level data structures, and then fixing whatever in
the other side of the AFS implementation makes use of these data.
Greg A. Woods
+1 416 218-0098; <firstname.lastname@example.org>; <email@example.com>
Planix, Inc. <firstname.lastname@example.org>; VE3TCP; Secrets of the Weird <email@example.com>