Subject: Re: PAM
To: None <firstname.lastname@example.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
Date: 09/25/2002 10:10:42
>> So an authentication server cannot supply the credentials for the
>> client to use? [...]
> In the AFS world, I need to add to the user's process two groups to
> the front of the group list (They're really an index into a kernel
> table that holds the Kerberos credentials). To do this I call a
> special AFS system call that does the right magic for me. After I do
> that, I need to call another AFS system call to place the Kerberos
> ticket into the kernel so that the AFS client can use it.
(1) This is not a question of how to authenticate; it's a question of
what to do once authenticated. (This is admittedly a relatively
(2) It's also fairly easy to fix; the simplest change that comes to
mind is to have the magic syscalls affect the parent of the calling
process rather than the calling process itself. An arguably better
way would be to have the calls affect "the process on the other end
of this pipe".
(3) By imposing sufficiently restrictive "but I insist on doing it this
way"s, you can find similar problems with any scheme.
(4) At worst, you will just have to use older methods, less convenient
and/or less secure, when using AFS.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML email@example.com
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B