The kernel doesn't know whether you got into the system using a
kerberized rsh, ssh, telnet, or by a buffer-overflow.
The 'authenticated' user in fact already got his kerberos tokens on the
system he is logging in from. The kerberized rshd simply adds the token
used as authentication to the new session, if it is a TGT it can be used
to obtain AFS and other credentials either from within the daemon or
through commands in a .login script (using afslog or aklog or something).
> Since each invocation of the server would be placed into its own PAG,
> (sort of by definition of a PAG) then each invocation of the server would
> have to get a new AFS token.
Which actually seems logical to me.
> What I am looking for is that the server can verify the identity, of the
> client, then use previously forwarded credentials, such as a TGT or AFS token,
> so it does not have to get a new token., i.e. it joins the existing PAG.
You could have the kerberized rshd remember the tokens it obtained
during a previous login or were forwarded by the client and associate
them with the new PAG. No need to join an existing PAG.
What you propose has completely different behaviour depending on whether
the user happens to have a secondary permanent connection to the target
host or not. If there is no permanent session there will be no PAG to
join and each rsh invocation will have to reauthenticate anyways.
Jan
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/