[OpenAFS] Home directory in AFS
Derrick J Brashear
shadow@dementia.org
Mon, 22 Apr 2002 10:43:55 -0400 (EDT)
On Mon, 22 Apr 2002, Todd M. Lewis wrote:
> Turbo Fredriksson wrote:
> >
> > >>>>> "Charles" == Charles Clancy <security@xauth.net> writes:
> >
> > Turbo> So just configure pam_mkhomedir to recognize a KerberosV
> > Turbo> keytab, do the 'kinit', then the 'aklog' (both with propper
> > Turbo> options) equivalences in C.
> >
> > Charles> For the 3rd or 4th time, this is a BAD IDEA.
> >
> > That's YOUR opinion. You have yet to PROVE and/or give a GOOD example/reason
> > for why this is a bad idea. All you manage to do is call me names.
>
> It's a bad idea because if (make that when) one of your hosts gets
> hacked, the bad guys get not only that host, but they get admin
> privileges in your cell.
I agree.
If you want to do something like this, I think about the safest thing you
can do is:
Create a public/private key pair.
Build the public key into a pam module.
Put the private key on a sealed server and give that admin privileges.
Make the server take requests and create homedirs.
Make the pam module talk to the server and communicate the user name you
want a directory for.