From: Jesse Pollard <jesse@cats-chateau.net>
To: greg@enjellic.com, greg@wind.enjellic.com (Dr. Greg Wettstein),
Linus Torvalds <torvalds@transmeta.com>,
David Howells <dhowells@warthog.cambridge.redhat.com>
Cc: Dean Anderson <dean@av8.com>,
Trond Myklebust <trond.myklebust@fys.uio.no>,
Garance A Drosihn <drosih@rpi.edu>,
Jan Harkes <jaharkes@cs.cmu.edu>,
David Howells <dhowells@redhat.com>,
<linux-kernel@vger.kernel.org>, <linux-fsdevel@vger.kernel.org>
Subject: Re: [OpenAFS-devel] Re: [PATCH] PAG support, try #2
Date: Fri, 16 May 2003 13:28:10 -0500 [thread overview]
Message-ID: <03051613281001.27791@tabby> (raw)
In-Reply-To: <200305161805.h4GI5buN032216@wind.enjellic.com>
On Friday 16 May 2003 13:05, Dr. Greg Wettstein wrote:
> On May 15, 10:23am, Linus Torvalds wrote:
> } Subject: Re: [OpenAFS-devel] Re: [PATCH] PAG support, try #2
>
> Good morning to everyone discussing this fascinating topic. I've been
> reading it for a day or two before joining in. There have been some
> excellent points made and I won't even try to paraphrase all of them.
> I am including a snippet from what I consider the 'Linus definitive
> statement' on this issue since this is the definitive focal point
> which discussion must come down to.
>
> I think the issue comes down to whether or not Linux will incorporate
> functionality for the sake of correctness vs. expediency. Based on
> all the history I think that everyone generally assumes that doing
> things correctly is the preferable route.
>
> In this case doing things the 'correct' way also provide the potential
> opportunity for Linux to do something reasonably creative. I've been
> banging on issues with respect to identity management and Linux since
> about 1998 and it is now interesting to see these issues becoming
> pragmatically relevant.
There is also a (desire/need) to be able to integrate this with something
like IPSec...
In some Kerberos situations:
1. authentication can be based on simple name/password
2. authentication can be ased on name/password/smart card
Some sites may acctept #1 or #2. Other sites may only accept #2. (both are
related to the same realm, or cross realm operation).
> Technical thoughts follow below.
>
[Big snip]
Much of this can/should be handled outside the Kernel, PROVIDED, the kernel
can make a unique link between a process and the external security structure,
and provide communication paths between the service<=>kernel<=>app-server
("the service" is the security database server and "app-server" may be the
daemon granting login capability.
This way "the service" may make out-of-band remote requests for additional
authentication handling (translating remote credentials into local
credentials type of thing).
It is VERY possible that a user may have been granted certain LOCAL priviliges
provided the user is NOT utilitizing unsecured networks. Or just making access
requests from unapproved locations... and still be permitted to make other
connections.
Assuming transitive privilige handling is NOT your friend (ie. undesired
remote connection -> trusted host -> privileged access on third host).
This is slightly off the AFS line, but is spot on the "security services" that
are beginning to be discussed.
next prev parent reply other threads:[~2003-05-16 18:17 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-05-16 18:05 [OpenAFS-devel] Re: [PATCH] PAG support, try #2 Dr. Greg Wettstein
2003-05-16 18:28 ` Jesse Pollard [this message]
[not found] <499763005@toto.iv>
2003-05-15 23:44 ` Peter Chubb
[not found] <BKEGKPICNAKILKJKMHCAKEDODAAA.Riley@Williams.Name>
2003-05-15 13:26 ` Garance A Drosihn
-- strict thread matches above, loose matches on Subject: below --
2003-05-14 10:43 David Howells
2003-05-14 16:58 ` Jan Harkes
2003-05-14 20:45 ` [OpenAFS-devel] " Harald Barth
2003-05-15 0:14 ` Garance A Drosihn
2003-05-15 0:57 ` Linus Torvalds
2003-05-15 1:34 ` Trond Myklebust
2003-05-15 2:30 ` Linus Torvalds
2003-05-15 14:04 ` Dean Anderson
2003-05-15 16:20 ` Linus Torvalds
2003-05-15 16:41 ` David Howells
2003-05-15 17:23 ` Linus Torvalds
2003-05-16 12:12 ` David Howells
2003-05-15 23:00 ` Garance A Drosihn
2003-05-16 0:53 ` Nathan Neulinger
2003-05-15 4:26 ` Russ Allbery
2003-05-15 4:59 ` Linus Torvalds
2003-05-15 15:34 ` Booker Bense
2003-05-15 13:12 ` Garance A Drosihn
2003-05-15 15:55 ` Douglas E. Engert
2003-05-15 13:35 ` David Howells
2003-05-15 13:55 ` chas williams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=03051613281001.27791@tabby \
--to=jesse@cats-chateau.net \
--cc=dean@av8.com \
--cc=dhowells@redhat.com \
--cc=dhowells@warthog.cambridge.redhat.com \
--cc=drosih@rpi.edu \
--cc=greg@enjellic.com \
--cc=greg@wind.enjellic.com \
--cc=jaharkes@cs.cmu.edu \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@transmeta.com \
--cc=trond.myklebust@fys.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox