Re: In-kernel Authentication Tokens (PAGs)

[Trond Myklebust]

På lau , 12/06/2004 klokka 19:33, skreiv Kyle Moffett:

> - Designed for AFS
> 
> I designed this because I would like to see a ticket/token storage 
> mechanism
> in the kernel.  I would like this to be something that could be a 
> Kerberos V5
> credentials cache, an RSA key storage agent (like ssh-agent), and a 
> generic
> remote filesystem token storage.

So this would be more like an in-kernel keyring then?

> - A token can only be on one PAG
> 
> True in my design, but in order to access the token you open() it, 
> which returns
> a filehandle that can be passed to any other program over a UNIX socket.
> This could be easily extended to allow the original user to 
> invalidate/close the
> other user's filehandle.  Also, the design allows each PAG to have a 
> parent,
> so it forms a tree (Must be non-cyclic).  This allows multiple 
> processes to share
> a set of global tokens in a parent PAG, and each have their own sub-PAGs
> that they can work in without disturbing the global token set.  Linus 
> even
> mentions that perhaps a list of PAGs could handle that issue, but with 
> that the
> priority is unintuitive, whereas with a tree one can match the process 
> tree
> much more accurately and without much effort.  Even still, my design 
> makes it
> simple to add the ability for a token to be in more than one PAG.

How does it cope with lifetime issues such as token renewal and
invalidation?

Does it provide for notifiers in case of invalidation, renewal or token
expiration?

For NFSv4 for instance, this is important, since the client will want to
evict all state if the user's credential expires.

Cheers,
  Trond
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/