[OpenAFS] home on afs woes

Jeffrey Hutzelman jhutz@cmu.edu
Wed, 04 Jan 2006 17:55:04 -0500


On Wednesday, January 04, 2006 03:02:20 PM -0500 Jeffrey Altman 
<jaltman@secure-endpoints.com> wrote:

> Russ Allbery wrote:
>> Douglas E Engert <deengert@anl.gov> writes:
>> The client is, understandably, not going to forward the ticket until
>> after the authentication step is complete, so what this basically means
>> is authenticating the user, accepting the forwarded ticket, and then
>> reauthenticating the user.  I guess it would be possible to do this, but
>> ew.  I'm guessing ew would be the OpenSSH upstream reaction too.
>
> Processing of the .k5login file is not an authentication operation,
> it is an authorization operation.

Conceptually, yes.
In the PAM world, authorization checks such as this are done as part of the 
"authenticate" operation, not the "account management" operation.

For cases where authentication is not done using PAM, such as sshd using 
gssapi user auth, the application is responsible for performing whatever 
authorization checks are required.  In ssh, this is done as part of the 
user authentication operation.

-- Jeff