OPenAFS and OpenSSH replacing kafs

[Markus Friedl]

On Sat, Feb 28, 2004 at 09:02:01AM -0600, Douglas E. Engert wrote:
> > i don't see why sshd should play a dynamic linking game.
> > 
> > either the library has the symbol at compiletime
> > or not.
> 
> If a vendor, like Red Hat, Apple, Sun, HP, IBM or OpenBSD builds
> OpenSSH for distribution, they can do it without having OpenAFS 
> available at compile time. 

i think applications like sshd should not ramdomly dlopen() libraries
an execute unknown future functions.

> Yet when the end user uses OpenSSH on a system with OpenAFS
> they will work together because the hook in OpenSSH will already be 
> in place by default.    

if a vendor wants that, then they can ship OpenAFS
of a stub library.

>   (1) Make the get_afs_token routine part of OpenSSH and compiled in. 
>       But this then has some dependencies on how the setpag is done 
>       and vendors may not compile in this option, especially if any 
>       OpenAFS libs are required at compile time.  

OpenSSH is not responsible for a common AFS API, the
AFS vendors are.

>   (2) PAM could be called when GSSAPI is used for authentication. 
>       A PAM session routine could do the setpag, as long as the PAM
>       routine is run from the correct process. 

if GSSAPI is the great generic security server API it claims
to be, then it can hide all this stuff from sshd.

-m