Subject: Re: PAM
To: None <firstname.lastname@example.org>
From: Ken Hornstein <email@example.com>
Date: 09/25/2002 10:41:15
>(1) This is not a question of how to authenticate; it's a question of
> what to do once authenticated. (This is admittedly a relatively
> minor point.)
Uh, yeah ... this was in response to the "Why do you need dynamic objects
in PAM?" comment. This was an example of a reason why you need them.
>(2) It's also fairly easy to fix; the simplest change that comes to
> mind is to have the magic syscalls affect the parent of the calling
> process rather than the calling process itself. An arguably better
> way would be to have the calls affect "the process on the other end
> of this pipe".
See the "But I live in the real world" comment previously.
>(3) By imposing sufficiently restrictive "but I insist on doing it this
> way"s, you can find similar problems with any scheme.
It's not like the problem is hypothetical; it's something that people
have been doing for over a decade. If it was some wacky hypothetical
problem, yes, you would have a point here ... but this is real problem,
that people face in the real world.
>(4) At worst, you will just have to use older methods, less convenient
> and/or less secure, when using AFS.
Methods that don't work, you mean.