[OpenAFS-devel] Alternate cell PAM patch
Charles Clancy
security@xauth.net
Tue, 25 Jun 2002 10:36:00 -0500 (CDT)
On 25 Jun 2002, Derek Atkins wrote:
> Charles Clancy <security@xauth.net> writes:
>
> > Attached is a patch against the 1.2.5 source that will let you do
> > something like:
> >
> > auth optional /lib/security/pam_afs.so cell other-cell.domain.net
> > auth sufficient /lib/security/pam_afs.so try_first_pass refresh_token \
> > cell main-cell.domain.net
> > auth required /lib/security/pam_unix.so
> >
> > You need to specify "refresh_token" the second time you call it to prevent
> > it from getting a second PAG and making your first token useless.
> >
>
> Will refresh_token do the right thing if you don't already have a PAG?
Specifying "refresh_token" simply tells pam_afs not to get a PAG. If
authentication fails, you still keep the PAG. So in the above example, if
one didn't have an "other-cell.domain.net" account, the first pam_afs
would get a PAG, and authentication would fail. However, you'd keep that
PAG for authentication against "main-cell.domain.net"
[ t charles clancy ]-[ tclancy@uiuc.edu ]-[ uiuc.edu/~tclancy ]