[OpenAFS-devel] OPenAFS and OpenSSH-3.8
Douglas E. Engert
deengert@anl.gov
Mon, 01 Mar 2004 10:23:16 -0600
Jim Rees wrote:
>
> Theo is dead set against using dlopen in "critical" software like sshd.
> When we added smartcard support to OpenSSH I had to remove the dynamic
> reader library loading, and bind statically against one reader library
> (currently Todos).
But PAM is OK? its doing dlopen.
>
> I think the long term solution is to get linux and the BSDs to agree on a
> common setpag syscall, and have it available even if afs is not loaded.
> Then sshd can call setpag without worrying about SIGSYS. A helper process
> can be used to acquire tokens.
If you can pull that off, that would be great. I was looking more short term,
with the current situation of the AFS PAG and getting tokens from delegated
credentials. I was trying to make it so the method used was outside of sshd.
Your helper process sounds very similar to the DCE DFS dced.
We still have the problem of convincing linux and BSDs for a setpag syscall.
I never got any comments back on the note I sent where I said:
> In a single machine the above is true. But Unix/Linux has no concept
> of a network identity with the ability to use network credentials from
> within the kernel.
>
> One could argue the UID is THE credential for access to the local file
> system. Possession of the UID by the kernel for a process allows that
> process access to the local file system.
>
> The PAG in effect is one way for the Linux kernel to support these network
> credentials. If added correctly, they could be used for more then file
> systems like IPSEC or TLS in the kernel. Its not the PAG, but the ability
> to use network credentials that is needed.
>
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444