Jeff, your solutions are a bit like saying that everybody should just be happy using an 8086 CPU because it's Turing-complete. It's not "wrong", but if users have to jump through a lot of hoops, or even one hoop *per cell*, they'll simply avoid AFS.
Furthermore, while your Network Identity Manager thing is indeed quite cool, it is unfortunately Windows-specific. - a Jeffrey Altman <[EMAIL PROTECTED]> writes: > Adam Megacz wrote: > >> Yes. One facet of what I'm getting at is that users should be able to >> use face-to-face interaction as an authentication mechanism if their >> AFS admins wish to allow that in their cell. Right now there is a >> technological barrier to this policy option. > > I really think you are confusing the authentication and authorization > issues. AFS does not manage identification. That is performed by > whatever authentication system you are using. If you want to setup > an authentication model that allows identities to be issued based upon > one user in your authentication domain vouching for another, by all > means implement a web interface that allows that. However, this has > nothing at all to do with AFS which is simply a service that relies > on an external authentication service. > > As I have pointed out numerous times this past week, if you can control > a DNS domain then you can deploy a Kerberos realm and as the > administrator of that realm you can implement whatever policy your heart > desires. > > I have also described how you can use authentication services other than > Kerberos with AFS by implementing a token issuing daemon that accepts > your authentication mechanism and returns a token to the end user. > > The new Network Identity Manager that is being shipped with MIT Kerberos > for Windows and will be distributed with OpenAFS in a future release is > entirely modular. You can implement your own "identity" modules for it > that can support your authentication model. For Unix, you can > implement your own command line tools and PAM modules to obtain tokens > for your users. > > Jeffrey Altman > -- PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380 _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
