Jeffrey Hutzelman wrote: > > On Monday, January 26, 2004 12:59:56 -0600 "Douglas E. Engert" > <[EMAIL PROTECTED]> wrote: > > > Yes, ak5log or gssklog. Note the -setpag, when it works, is nice > > as this sets the PAG in the parent processes so makes it even easier > > to get the OpenAFS dependiencs out of the caller. > > Except this works only up exactly one level. The OpenSSH folks will > inevitably end up calling this code from some process which is not in the > inheritance chain for the user's shell, leaving us right where we are today > with PAM. Even if they don't do it today, the restriction is obscure and > will not be well known to people working on OpenSSH, so there is a good > chance that it will be inadvertently broken later.
Well the PAG needs to be set. The code with the kafs sets it in the current process, which is the process I would have fork and exec aklog, so if they move the code in either case the PAG will be wrong. > > Worse, there is a good chance that whatever PAG mechanism we end up with on > Linux 2.6 will not support setpag-in-parent at all. So it would be wise to > avoid introducing new dependencies on it, especially in other people's code. OK. The situation I would like to avoid is vendors packaging OpenSSH executables that don't have any hooks in them to set the PAG or get a token, which is the case today. The OpenSSH people are amenable to include some code for AFS, but it is #ifdefed. I would like to see them include code that can run on a system with our without AFS and not require AFS headers and libs to build and would always be available in the executable. It makes their life easier, and so make our life easier, and promotes OpenAFS. If the PAG on Linux is defined by Linux code, and support could always be compiled in then on Linux at least the -setpag would not be needed, as there is a better way. That I could se #ifdef depending on OS. The aklog, afslog or whatever could actually test if a PAG needs to be obtained. Is the PAG mechanisum you expect to endup with on Linux going to be a standard feature, i.e. always in the kernel? If not and the setpag of parent is not available either, that could be a step backward. > > -- Jeff -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
