Hello,
I've come in to this discussion rather late, but since the original
person mentioned NQS ...
I've just completed adding AFS authentication to DJM, a NQS-like queueing
system that runs on our CM-5. My approach was to take the same approach
used by the weak authentication stuff in inetd-afs, afs rsh, etc etc. What
this does is takes the token from the user who starts the job (by calling
ktc_GetToken), passes it into the queueing system as one of the job
parameters, and when the job is run the "shepherd" process calls setpag()
and ktc_SetToken for all the tokens the user has.
The advantage to this is the jobs run with the same tokens the user has
in his environment. The disadvantage is that the tokens are sent in the
clear over the network (in our case, currently only one machine, so that's
not a big deal), and they're stored in the clear in the job file. Since
the job files can only be read by root, I think they're safe enough (since
anyone who breaks root could just read the tokens out of kernel memory).
_If_ you're interested in that route, I suggest you start looking in the
AFS source code under inetd. If you don't have the source I can get you
started (it's really rather simple).
I don't know how much NQS is like DJM (I do know that DJM has an NQS
compatibility mode), but I think it would be easy enough to add.
--Ken
