Solaris ssh pam_krb
Nicolas Williams
Nicolas.Williams at sun.com
Tue Apr 4 13:36:25 EDT 2006
On Tue, Apr 04, 2006 at 12:29:04PM -0500, greg at enjellic.com wrote:
> On Mar 31, 8:22pm, Jeffrey Hutzelman wrote:
> } Subject: Re: Solaris ssh pam_krb
>
> > But in a multi-application PAG world, _no_ application can directly
> > use the real PAG ID as an identifier, because it changes too much.
> > Instead they need an application-specific identifier. That applies
> > to encrypted filesystems, to AFS, and, I suspect, to NFS as well,
> > though you might not yet recognize that.
>
> An interesting comment.
I would relax the above a little, in light of other comments in this
thread:
In a multi-application PAG world applications MAY use the PAG ID
directly but MUST NOT change it directly and MUST be able to cope
with PAG IDs changing under its feet.
In a multi-application PAG world applications SHOULD construct their
own session/process group/whatever IDs, while the multi-application
PAG framework, in turn, MUST support association of arbitrary
application-specific IDs to PAGs (and PIDs, or something, for
make-before-break).
> Particularly given that notion that our open authorization
> architecture was predicated on each 'service' having its own unique
> identity.
Remember, PAGs do not provide process group separation _locally_, not in
the AFS model and not in the multi-application variant we've been
discussing.
Nico
--
More information about the Kerberos
mailing list