[OpenAFS-devel] [PATCH] new features for pam_afs

[Rudolph T Maceyko]

--On Wednesday, August 29, 2001 14:54:17 -0400 Derrick J Brashear 
<shadow@dementia.org> wrote:

> On Wed, 29 Aug 2001, Rudolph T Maceyko wrote:
>
>> --On Wednesday, August 29, 2001 14:10:14 -0400 Derrick J Brashear
>> <shadow@dementia.org> wrote:
>>
>> > The use of the passwd entries containing the crypted password
>> > replaced by the string "USE_AFS" is described below. What is the
>> > point of this as opposed to trying AFS authentication for users
>> > with a traditional non-password in the field like "X"? If the
>> > intent is to not allow login at all for accounts with a field "X"
>> > why put them in the passwd file at all?
>>
>> Either this or the uid method would be good enough for what I have
>> in  mind: identifying a set of users who are authenticated only
>> locally,  while the rest of them are authenticated via AFS.
>
> In what cases will you have local (non "X") passwords for users who
> you expect to authenticate via AFS?

Probably none.  :-)

>> > The admission that it's non-portable is one good reason why this
>> > option should not be included. Is there anything which would push
>> > this the other way?
>>
>> I, for one, like the idea represented by this patch and the
>> uid-based  one.
>
> The ability to choose when you use AFS authentication is reasonable.

Agreed.

> The non-portable "embed a string" approach is undesirable.

OK.  His "ignore_uid" patch would happen to work for me, since I have a 
low local range of uids available (and don't expect to be able to 
authenticate any of these users in AFS).  Something more flexible is 
probably desirable in the general case.

Rudy