nisse@lysator.liu.se (Niels Möller) writes:
Simon Josefsson jas@extundo.com writes:
You can extract the identity of the user who was authenticated, and then carry out the authorization procedure. Is there an authorization infrastructure in lsh?
I'm not sure exactly what you're asking, but my guess is "no".
Userauth methods return user objects, which implies that the client should be allowed to do most anything that user is allowed to do. These objects are usually looked up using the user_db abstraction.
Right, what I was looking for was something similar to
connection->user = USER_LOOKUP(self->gssapi->db, authid, authzid);
where authid was the GSS authenticated user (e.g., "jas") and authzid the username received from the first USERAUTH_REQUEST (e.g., "root"). The function would also check if jas was entitled to log on as root. (Some Kerberos implementation have a similar function (kuserok), but I always found it a gross design violation, as Kerberos is not an authorization mechanism.)