Kerberized authorization service

[Jos Backus]

On Tue, Jan 29, 2008 at 07:40:17AM -0600, John Hascall wrote:
> We have had a simple kerberized accessd service here for almost
> 20 years now.  It's some pretty ugly code, but if you wanted to
> make your own it would be about a day's project.  Ours uses the
> kind of really trivial protocol one might come up with when one
> has a day to create it :) 
> like:
>     sendauth(as host/host.name usually) -->
> then                           |------ nul-terminated strings ---------|
>     2bytes-count 2bytes-opcode princ resource mode wherefrom whatcomment -->
>     2bytes-count,2bytes-replycode <--   (false/true basically)
> 
> for example, sshd (via pam) might send
>     ##,access,john at IASTATE.EDU,foo.iastate.edu,,bar.iastate.edu,ssh
> ksu might send:
>     ##,access,john at IASTATE.EDU,foo.iastate.edu,root,ttyp6,su
> Our management system, moira, might send:
>     ##,add,john at IASTATE.EDU,foo.iastate.edu,...
>        delete ...
>        rename ...
> and so on  It also supports hierarchical lists (e.g., foo.iastate.edu
> contains foo-staff and foo-guests which contain users, etc)
> 
> Resource names can be machines or printers or whatever (for example,
> we have an apache module that queries it too)
>  
> Recently, I had a couple of my student employees work up a
> proof-of-concept using SAML (with a kerb auth as part of the payload)
> as the protocol -- since SAML seems like a more likely future direction
> for a standardized auth protocol than something I threw together one
> night in 1990 :)
> 
> You could backend such a thing with LDAP or whatever you want
> (we use an in-core flattened double-hash structure,
> backed with a simple on-disk log-structured copy
> so that all operations are more-or-less done in small constant "O(1)" time.

You think you could make either (or both) implementations available for public
consumption?  I'd love to have a look. If nothing else it sounds
battle-tested. :-)

Thanks,
-- 
Jos Backus
jos at catnook.com