summaryrefslogtreecommitdiff
path: root/hurd/authentication.mdwn
blob: 4170c818ec8d023e7e79462c7d9bcb7ccf52d13f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
[[license text="""
Copyright © 2007 Free Software Foundation, Inc.

Permission is granted to copy, distribute and/or modify this document under the
terms of the GNU Free Documentation License, Version 1.2 or any later version
published by the Free Software Foundation; with no Invariant Sections, no
Front-Cover Texts, and no Back-Cover Texts.  A copy of the license is included
in the section entitled [[GNU_Free_Documentation_License|/fdl.txt]].

By contributing to this page, you agree to assign copyright for your
contribution to the Free Software Foundation.  The Free Software Foundation
promises to always use either a verbatim copying license or a free
documentation license when publishing your contribution.  We grant you back all
your rights under copyright, including the rights to copy, modify, and
redistribute your contributions.
"""]]

UIDs on the Hurd are separate from processes.  A process has
[[capabilities]] designating so-called UID vectors that
are implemented by an [[auth]] server.  This
makes them easily [[virtualizable]].

When a process wishes to gain access to a resource provided by a third
party (e.g., a file system) and that party wishes to authenticate the client
so as to implement some identity-based access control ([[IBAC]]) policy,
the latter initiates a three-way authentication handshake.  The server
and client each then begin an authentication sequence with
their respective [[trust]]ed auth servers.  If they have
a mutally trusted ancestor and an auth server does not abort the
transaction, then the client is delivered a new capability
naming a newly authenticated session with the server
and the server is delivered the client's designated UID vector.

For more details, see section 2.3 of the [[critique]].