>SJG> The more interesting aspect is the ability of radius and tacacs+ to
>SJG> communicate arbitrary attributes back to the client.  Typically you
>SJG> then want a means of making these known to the real client process.

>Isn't this just the sort of thing that secure ipc/rpc would be suited to?

Instead of what? RADIUS? TACACS+? or the means of an authenticator
communicating with its client?

>If the stuff is NOT handled in kernel (well, to a degree, all auth
>will eventually tweak something in the kernel pertinent to [sre][ug]id/

I'm not talking about just authentication now.  RADIUS et al, eventually
return a simple PASS/FAIL indicator so that bit could easily be handled 
by the exit status of an authenticator.   Its the essentially arbitrary 
attribute=value pairs that can accompany the response that are interesting.  
You could of course save the av pairs in a file, and have the client 
process read that or use any other IPC mechanism, but storing everything 
in the kernel isn't necessary or necessarily desirable.

--sjg