>> (1) This is not a question of how to authenticate; it's a question
>>     of what to do once authenticated.
> This was an example of a reason why you need [dynamic objects in
> PAM].

Rather, of why someone who refuses to consider other ways of addressing
the underlying problems needs them.  (Okay, that's excessively
restrictive.  Why someone who refuses to *use* other ways, etc.)

>> (2) It's also fairly easy to fix; the simplest change that comes to
>>     mind is to have the magic syscalls affect the parent of the
>>     calling process rather than the calling process itself.  [...]
> See the "But I live in the real world" comment previously.

So what's your point?  What's non-real-world about this?

It means a slight change to your existing AFS code, yes.  So does
_anything_ that isn't out-of-the-box AFS, and if you insist on
restricting yourself to that, why are you even chipping in on a
discussion about possible better ways to do things?

>> (4) At worst, you will just have to use older methods, less
>>     convenient and/or less secure, when using AFS.
> Methods that don't work, you mean.

No.  If I'd meant that, I'd have said that.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B