Simon Josefsson jas@extundo.com writes:
You can extract the identity of the user who was authenticated, and then carry out the authorization procedure. Is there an authorization infrastructure in lsh?
I'm not sure exactly what you're asking, but my guess is "no".
Userauth methods return user objects, which implies that the client should be allowed to do most anything that user is allowed to do. These objects are usually looked up using the user_db abstraction.
I'd like to hook spki authorization into lsh, but that's nothing that exists today. The simplest way to go about that is to put an spki "tag" into the user object before it's returned from a userauth method. Tags could be things like
(tag (login ...)) (tag (command foo)) (tag (sftp read (* prefix "/home/nisse/pub"))
/Niels