[ On Tuesday, September 24, 2002 at 15:54:08 (-0400), Ken Hornstein wrote: ]
> Subject: Re: PAM 
>
> Let me apply this to the AFS example to make it clearer.
> 
> In the AFS world, I need to add to the user's process two groups to
> the front of the group list (They're really an index into a kernel table
> that holds the Kerberos credentials).  To do this I call a special AFS
> system call that does the right magic for me.  After I do that, I need
> to call another AFS system call to place the Kerberos ticket into the
> kernel so that the AFS client can use it.  This is non-negotiable; it's
> the way AFS works (I don't want to get into the long explanation WHY
> it's this way right now; just trust me on this one).

Ah, well, that's a broken-by-design API, and is not a fault of AFS per se.

Besides, even with such a broken API, PAM is not the only solution here,
nor are these client/server and message-passing authentication models.
Such narrow views of the solution space will not accomplish anything
positive here.

> How do I do this via a message-passing interface?

Well, first you fix the API.  Probably this means adding a new set of
system calls and proc-level data structures, and then fixing whatever in
the other side of the AFS implementation makes use of these data.

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>