[OpenAFS] AFS Authentication with PAM

[Todd M. Lewis]

Ulisses Reina Montenegro wrote:
> 
> Greetings,
> 
> We are trying to use pam_afs[...]
> This breaks the transparency of a fully distributed
> authentication system, as we have to create every single user in every
> single machine, and AFS seems to be used only when checking passwords.
> Is this a known PAM/Linux glitch? What is the workaround for this?

I ran into the same issue, so I put together a pam module that checks
the pwdb. If it doesn't find the uname in question, it checks other
sources (in our case, a flat file that's never more than an hour out of
sync with the AFS servers) to see if that looks like a valid user for
the machine in question. If that checks out, it creates an entry in the
password file for that user. (All our AFS user's home directories are in
AFS, so there's nothing local that has to be set up except the passwd
file entry.) Then it runs pwconv if requested via a switch on the module
line. In any case, it returns PAM_SUCCESS, and the "real" authentication
modules take over from there.

I only run it on the machine in our conference room, but anybody who can
get physical access to it should be allowed on. The nice thing from my
perspective is that I don't have to deal with setting up accounts for
our people. They get set up just by trying to login. They still can't
login without the correct password, but that's handled by the other
modules.

There's a gzipped tarball of the thing if you want to grab it. It's at
http://tarna.oit.unc.edu/~utoddl/propup.tar.gz for the time being. To
make use of it, you'll have to modify it to suit your environment wrt
determining if a given uname should be allowed access to a given
machine, but that's the fun part...

Hope this helps.
-- 
   +------------------------------------------------------------+
  / Todd_Lewis@unc.edu              http://www.unc.edu/~utoddl /
 /(919) 962-5273     Official Signature of the New Millennium /
+------------------------------------------------------------+