> I'm interested in a much more generic issue of "user
> credentials", and here a PAG can be _one_ credential that a
> user holds on to. But to be useful, a user has to be able to
> have multiple such credentials. While one might be his "AFS
> userid", another will be his NFS mount credentials, and a third
> one will be his key to decrypt his home directory on that
> machine.
The interesting thing about a PAG is that it is a handle that is
shared between userland and the kernel, and carries information about
which collection of authentication tokens/credentials a process holds.
RPCSEC can be made to use it to communicate which bag of creds the
userland daemon may use when it attempts to negotiate a new security
context for an NFS user. At the moment all we can tell is 'use the
credentials of uid=zyx' which is no good if the user wants 2
subprocesses to authenticate using different remote kerberos accounts,
say.
Cheers,
Trond
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/