From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Mon, 20 Oct 2008 00:38:17 -0400 From: Nathaniel W Filardo To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Message-ID: <20081020043817.GG4216@masters10.cs.jhu.edu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="NIe73rPL8TFc/U1V" Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) Subject: [9fans] Multi-domain authentication? Topicbox-Message-UUID: 20c57d1a-ead4-11e9-9d60-3106f5b1d025 --NIe73rPL8TFc/U1V Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hullo list. http://osdir.com/ml/os.plan9.nine-grid/2005-06/msg00001.html is a proposal =66rom some years ago from TIP9UG to do multi-domain authentication in a way somewhat reminiscent of Kerberos.[1] The only change to factotum, AFAICT, was the following addition: > if(_strfindattr(s->key->attr, "grid")){ > snprint(s->t.suid, sizeof s->t.suid, "%s@%s", s->t.cuid, _strfindatt= r(s->key->attr, "dom")); > safecpy(s->t.cuid, s->t.suid, sizeof s->t.cuid); > flog("grid user: %s", s->t.suid); > } in the SHaveAuth case of p9skread. This seems like a good way to go about MDA, so I am curious why this change didn't get put back into the mainline code? Is there something fundamentally wrong? Was a different approach selected? Was the issue simply tabled? Thanks. --nwf; [1] I say similar to Kerberos in that it requires a domain A wishing to accept identities from domain B to have a key from B's authsrv. It differs =66rom Kerberos in that users in domain B act as if B's authsrv was the authenticator for domain A. --NIe73rPL8TFc/U1V Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkj8CzkACgkQTeQabvr9Tc+ACQCfQmkYIKqjccZgTv25+Y3Od4+W /tMAnRxk/2KGFGRayhMipyUcc94/rhGm =UpZr -----END PGP SIGNATURE----- --NIe73rPL8TFc/U1V--