[OpenAFS-devel] [PATCH] new features for pam_afs
Rudolph T Maceyko
rtm@cert.org
Wed, 29 Aug 2001 14:37:56 -0400
--On Wednesday, August 29, 2001 14:10:14 -0400 Derrick J Brashear
<shadow@dementia.org> wrote:
> The use of the passwd entries containing the crypted password
> replaced by the string "USE_AFS" is described below. What is the
> point of this as opposed to trying AFS authentication for users with
> a traditional non-password in the field like "X"? If the intent is to
> not allow login at all for accounts with a field "X" why put them in
> the passwd file at all?
Either this or the uid method would be good enough for what I have in
mind: identifying a set of users who are authenticated only locally,
while the rest of them are authenticated via AFS.
The situation I have in mind is a notebook computer that may not always
have access to its home cell (even when it's on the network--think
"firewall"). It's annoying at best to have to deal with AFS
authentication timeouts in these cases when the account is known to be
local-only.
> The admission that it's non-portable is one good reason why this
> option should not be included. Is there anything which would push
> this the other way?
I, for one, like the idea represented by this patch and the uid-based
one.
> <P><DT><B><TT>check_pw_entry</TT>
> </B><DD>The switch "check_pw_entry" is another option to
> differ between local users and AFS users. In contrast to
> "ignore_uid", the criterion indicating whether the user is
> local or belongs to the AFS cell is not the user id, but the user's
> password entry in the local /etc/passwd file. If the password is set
> as "USE AFS", the user is authenticated against AFS and
> ignored by <i>pam_afs.so</i> else.<br>
>
> Using this option it is possible to use a per user selection for the
> decision which user belongs to the AFS and which user is local.
> However, older unix systems may still use the password field for its
> original purpose.<br>
Rudy