[OpenAFS-devel] [PATCH] new features for pam_afs

[Derrick J Brashear]

The use of the passwd entries containing the crypted password replaced by
the string "USE_AFS" is described below. What is the point of this as
opposed to trying AFS authentication for users with a traditional
non-password in the field like "X"? If the intent is to not allow login at
all for accounts with a field "X" why put them in the passwd file at all?

The admission that it's non-portable is one good reason why this option
should not be included. Is there anything which would push this the other
way?

<P><DT><B><TT>check_pw_entry</TT>
</B><DD>The switch &quot;check_pw_entry&quot; is another option to differ
between local users and AFS users. In contrast to &quot;ignore_uid&quot;,
the criterion indicating whether the user is local or belongs to the AFS
cell is not the user id, but the user's password entry in the local 
/etc/passwd file. If the password is set as &quot;USE AFS&quot;, the
user is authenticated against AFS and ignored by <i>pam_afs.so</i>
else.<br>

Using this option it is possible to use a per user selection for the
decision which user belongs to the AFS and which user is local. However,
older unix systems may still use the password field for its original
purpose.<br>