[OpenAFS-devel] Re: [PATCH] PAG support, try #2

Trond Myklebust trond.myklebust@fys.uio.no
15 May 2003 03:34:25 +0200


>>>>> " " == Linus Torvalds <torvalds@transmeta.com> writes:

     > I'm interested in a much more generic issue of "user
     > credentials", and here a PAG can be _one_ credential that a
     > user holds on to. But to be useful, a user has to be able to
     > have multiple such credentials. While one might be his "AFS
     > userid", another will be his NFS mount credentials, and a third
     > one will be his key to decrypt his home directory on that
     > machine.

The interesting thing about a PAG is that it is a handle that is
shared between userland and the kernel, and carries information about
which collection of authentication tokens/credentials a process holds.

RPCSEC can be made to use it to communicate which bag of creds the
userland daemon may use when it attempts to negotiate a new security
context for an NFS user. At the moment all we can tell is 'use the
credentials of uid=zyx' which is no good if the user wants 2
subprocesses to authenticate using different remote kerberos accounts,
say.

Cheers,
  Trond