Solaris ssh pam_krb

Nicolas Williams Nicolas.Williams at
Fri Mar 31 16:52:42 EST 2006

On Fri, Mar 31, 2006 at 03:41:13PM -0600, Douglas E. Engert wrote:
> While you are thinking about PAGs, how do you handle Solaris zones
> with PAGs?

The simple kernel PAG approach is orthogonal to zones: your pag_t's will
be unique to the whole system, zones or not.  The filesystem namespace,
and, therefore, the IPC end-points of the user-land daemon(s) tracking
PAG associations are already virtualized, therefore the existing zone
infrastructure is sufficient (provided we don't do stupid things) to
separate per-zone uses of PAGs.

> AIX and HPUX had a PAG field in the creds to be used with DFS.

Yup.  That's what I'd do, except that it wouldn't be a 64-bit unsigned
integer -- it'd be a pointer to a structure that contains the pag_t
number, a reference count, and, perhaps, zero-reference event
notification subscriber information.


More information about the Kerberos mailing list