On Mon, Jul 10, 2006 at 08:01:02AM -0400, Greg Troxel wrote:
> > I can not log in to my environment directly, as it depends on things under
> > my $HOME, so I am forced to login in two steps, first "failsafe" or on
> > an alphanumeric console, forge a token, then log in as usual.
> > In connected mode I am forced into doing clog the same two-step way.

> MIT Athena had to deal with this with AFS, which had homedirs there.
> There, you logged in via Kerberos and the login program did aklog
> (which is like clog with kerberos).

Hi Greg,

I think I forgot to comment on that traditional way to go,
implied authentication against the filesystem during login.

Merging computer login and file system access rights
is unfortunately inherently inconsistent.

The former is essentially a proof of the right to run processes
on the particular computer, while the latter refers to very different
resources, residing elsewhere.

F.i. that would not work when your users have home directories in multiple
realms. Say if for some reason you give me an account on your computer.

I'd very much prefer to keep my home directory the way it is, in my Coda realm.
To be generous and meet my wishes you would have to maintain authentication
hooks per "user homedir file system type and realm". I bet you won't :)

Otherwise with "persistent rights on properly cached objects"
you would not have to care about anything except creating an account
with right path to my home directory.

Then each user may put clog in their login scripts (even possibly put
the Coda password on Coda itself, if one trusts as much all the hosts
he is using). That would work on any host one is allowed to login to
with one's own home directory.

Regards, Rune