[OpenAFS] home on afs woes

Russ Allbery rra@stanford.edu
Wed, 04 Jan 2006 13:36:03 -0800

Jeffrey Altman <jaltman@secure-endpoints.com> writes:

> Processing of the .k5login file is not an authentication operation, it
> is an authorization operation.  Therefore, it is perfectly reasonable
> for the client to mutually authenticate with a server, forward a ticket
> and then have access rejected due to an authorization failure.

Hm, yes, that's a good point.

Okay, I withdraw my objection about how this works with OpenSSH
forwarding; my only concern is for how to do the right thing in PAM
modules then.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>