On Tue, Jan 29, 2008 at 07:40:17AM -0600, John Hascall wrote: > We have had a simple kerberized accessd service here for almost > 20 years now. It's some pretty ugly code, but if you wanted to > make your own it would be about a day's project. Ours uses the > kind of really trivial protocol one might come up with when one > has a day to create it :) > like: > sendauth(as host/host.name usually) --> > then |------ nul-terminated strings ---------| > 2bytes-count 2bytes-opcode princ resource mode wherefrom whatcomment --> > 2bytes-count,2bytes-replycode <-- (false/true basically) > > for example, sshd (via pam) might send > ##,access,[EMAIL PROTECTED],foo.iastate.edu,,bar.iastate.edu,ssh > ksu might send: > ##,access,[EMAIL PROTECTED],foo.iastate.edu,root,ttyp6,su > Our management system, moira, might send: > ##,add,[EMAIL PROTECTED],foo.iastate.edu,... > delete ... > rename ... > and so on It also supports hierarchical lists (e.g., foo.iastate.edu > contains foo-staff and foo-guests which contain users, etc) > > Resource names can be machines or printers or whatever (for example, > we have an apache module that queries it too) > > Recently, I had a couple of my student employees work up a > proof-of-concept using SAML (with a kerb auth as part of the payload) > as the protocol -- since SAML seems like a more likely future direction > for a standardized auth protocol than something I threw together one > night in 1990 :) > > You could backend such a thing with LDAP or whatever you want > (we use an in-core flattened double-hash structure, > backed with a simple on-disk log-structured copy > so that all operations are more-or-less done in small constant "O(1)" time.
You think you could make either (or both) implementations available for public consumption? I'd love to have a look. If nothing else it sounds battle-tested. :-) Thanks, -- Jos Backus jos at catnook.com ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
