Subject: Re: PAM
To: None <>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-kern
Date: 09/25/2002 10:10:42
>> So an authentication server cannot supply the credentials for the
>> client to use?  [...]
> In the AFS world, I need to add to the user's process two groups to
> the front of the group list (They're really an index into a kernel
> table that holds the Kerberos credentials).  To do this I call a
> special AFS system call that does the right magic for me.  After I do
> that, I need to call another AFS system call to place the Kerberos
> ticket into the kernel so that the AFS client can use it.

(1) This is not a question of how to authenticate; it's a question of
    what to do once authenticated.  (This is admittedly a relatively
    minor point.)

(2) It's also fairly easy to fix; the simplest change that comes to
    mind is to have the magic syscalls affect the parent of the calling
    process rather than the calling process itself.  An arguably better
    way would be to have the calls affect "the process on the other end
    of this pipe".

(3) By imposing sufficiently restrictive "but I insist on doing it this
    way"s, you can find similar problems with any scheme.

(4) At worst, you will just have to use older methods, less convenient
    and/or less secure, when using AFS.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B