Solaris ssh pam_krb

Ken Hornstein kenh at cmf.nrl.navy.mil
Sat Apr 1 00:04:41 EST 2006


>Really, I think the introduction of a new process to keep track of 
>PAG->appid mappings is just silly.  The number of PAG application types in 
>the system is likely to be quite small, and the mappings themselves are 
>small as well.  Why not just store them in the PAG structure and be done 
>with it?

Just FYI ... it seems that the "security context" on MacOS X seems
to do what Nico describes.  It has a userspace daemon that you communicate
with via mach RPC calls, and it manages the security context information.
Mind you, I could very well be wrong about that ... this was inferred
from looking at the sources which are pretty convoluted (I was wondering
if it could be used to replace PAGs in the AFS client on MacOS X ...
the answer I came to was "no", because there was no good way to talk
to the daemon from the kernel).  Mind you, I don't necessarily think
this is a good idea; I am just reporting how I think it works, and
I could be wrong.

--Ken



More information about the Kerberos mailing list