[OpenAFS-devel] Alternate cell PAM patch

Charles Clancy security@xauth.net
Tue, 25 Jun 2002 10:36:00 -0500 (CDT)


On 25 Jun 2002, Derek Atkins wrote:

> Charles Clancy <security@xauth.net> writes:
>
> > Attached is a patch against the 1.2.5 source that will let you do
> > something like:
> >
> > auth optional   /lib/security/pam_afs.so cell other-cell.domain.net
> > auth sufficient /lib/security/pam_afs.so try_first_pass refresh_token \
> > 	cell main-cell.domain.net
> > auth required   /lib/security/pam_unix.so
> >
> > You need to specify "refresh_token" the second time you call it to prevent
> > it from getting a second PAG and making your first token useless.
> >
>
> Will refresh_token do the right thing if you don't already have a PAG?

Specifying "refresh_token" simply tells pam_afs not to get a PAG.  If
authentication fails, you still keep the PAG.  So in the above example, if
one didn't have an "other-cell.domain.net" account, the first pam_afs
would get a PAG, and authentication would fail.  However, you'd keep that
PAG for authentication against "main-cell.domain.net"

[  t charles clancy  ]-[  tclancy@uiuc.edu  ]-[  uiuc.edu/~tclancy  ]