On Wednesday, January 04, 2006 03:02:20 PM -0500 Jeffrey Altman
<[EMAIL PROTECTED]> wrote:
Russ Allbery wrote:
Douglas E Engert <[EMAIL PROTECTED]> writes:
The client is, understandably, not going to forward the ticket until
after the authentication step is complete, so what this basically means
is authenticating the user, accepting the forwarded ticket, and then
reauthenticating the user. I guess it would be possible to do this, but
ew. I'm guessing ew would be the OpenSSH upstream reaction too.
Processing of the .k5login file is not an authentication operation,
it is an authorization operation.
Conceptually, yes.
In the PAM world, authorization checks such as this are done as part of the
"authenticate" operation, not the "account management" operation.
For cases where authentication is not done using PAM, such as sshd using
gssapi user auth, the application is responsible for performing whatever
authorization checks are required. In ssh, this is done as part of the
user authentication operation.
-- Jeff
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
