[OpenAFS-devel] Re: [PATCH] PAG support, try #2
Trond Myklebust
trond.myklebust@fys.uio.no
15 May 2003 03:34:25 +0200
>>>>> " " == Linus Torvalds <torvalds@transmeta.com> writes:
> I'm interested in a much more generic issue of "user
> credentials", and here a PAG can be _one_ credential that a
> user holds on to. But to be useful, a user has to be able to
> have multiple such credentials. While one might be his "AFS
> userid", another will be his NFS mount credentials, and a third
> one will be his key to decrypt his home directory on that
> machine.
The interesting thing about a PAG is that it is a handle that is
shared between userland and the kernel, and carries information about
which collection of authentication tokens/credentials a process holds.
RPCSEC can be made to use it to communicate which bag of creds the
userland daemon may use when it attempts to negotiate a new security
context for an NFS user. At the moment all we can tell is 'use the
credentials of uid=zyx' which is no good if the user wants 2
subprocesses to authenticate using different remote kerberos accounts,
say.
Cheers,
Trond