[OpenAFS] Home directory in AFS

Charles Clancy security@xauth.net
Fri, 19 Apr 2002 09:28:33 -0500 (CDT)


> > The directory '/afs/bayour.com/user/turbo' is my
> > home-to-be... I have the PAM module 'pam_mkhomedir' enabled,
> > so that if the directory don't exist, it will be created on
> > first login (verified!)...

What are the permissions on /afs/bayour.com/user?  You're letting someone
with now AFS token create directories in AFS space?  In general, each user
normally has their own volume for their home directory.  Your model does
not seem scalable.

> > Now, if I'm remembering correctly from the list, I probably have to
> > add 'frans' to the OpenAFS user database as well. But is there ANY way
> > that I can get away NOT doing this?!? I already have TWO databases
> > for the users, and one more irritates me :)

You definitely need to add users to OpenAFS's protection server.
Otherwise they will never be able to access AFS space as an authenticated
user.  Aklog can do this automatically.

> > Secondly, and I've discussed this on the MIT KerberosV mailinglist,
> > what about using RSA keys? I liked that feature of SSH very much when
> > I started using it around '95 (or whatever it was :)... Especially
> > when using starting my X WindowManager as an ssh-agent :)
>
> Second as for the RSA ssh-ing, I am guessing you mean the DSA/RSA hosts
> authenitcation with ~/.ssh/authorized_keys{1,2} functionality?

Not going to work with AFS unless you get Kerberos TGT passing to work.
If you do that, you might as well just use Kerberos authentication.  You
should apply the GSSAPI patch for OpenSSH, and then use regular Kerberos
authentication.  You'll need aklog to run at some point.

> > When using RSA keys, I don't get the initial ticket, and can't
> > therefor get the AFS token either... :(

Yup.  Need to pass your TGT.

Why are you using LDAP?!  It seems like you're just adding an extra step
to make things more complicated.  You obviously need some sort of name
service for a network of this nature, which LDAP can certainly do for you,
but why kerberize it?

[ t. charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]
coordinated science laboratory | university of illinois | crypto group