[OpenAFS-devel] [PATCH] new features for pam_afs
Derrick J Brashear
shadow@dementia.org
Wed, 29 Aug 2001 15:39:23 -0400 (EDT)
On Wed, 29 Aug 2001, David Thompson wrote:
> Derrick J Brashear wrote:
> >The use of the passwd entries containing the crypted password replaced by
> >the string "USE_AFS" is described below. What is the point of this as
> >opposed to trying AFS authentication for users with a traditional
> >non-password in the field like "X"? If the intent is to not allow login at
> >all for accounts with a field "X" why put them in the passwd file at all?
>
> So that things like `ls -l` show the right thing for that user's files, even
> if he isn't allowed to log in there.
I guess I did neglect that case.
> I have problems with overloading the passwd field of /etc/passwd. The
> non-portability issue here is very significant. There are many authentication
> mechanisms that this could break. If you want to choose an authentication
> mechanism on a per-user basis, the place to make the choice is in an auxiliary
> database (maybe just a flat file), not in /etc/passwd (or /etc/shadow).
Actually given that you have PAM adding a module to permit or deny login
on a per-user basis is very easy, there are already several modules which
permit use of such a database; I wrote such a module long ago, and should
have remembered to suggest such a solution.
-D