[OpenAFS] Automatic AFS authentication on more than 1 cell
Giovanni Bracco
bracco@frascati.enea.it
Thu, 28 Feb 2002 10:54:47 +0100
At 2/27/2002 11:21 AM -0600, you wrote:
> > Is it possible to authenticate to both cells at the ssh connection
> > providing the password only once (usernames and passwords are the same
> > on both systems)? Can it be done just by a proper setting of the pam
> > modules for sshd?
>
>It can be done with PAM quite easily, if such a module existed. The
>current module does not support specifying an alternate cell name.
>However, it could easily be added. Then a PAM config something like the
>following would work:
>
>auth sufficient /lib/security/pam_afs.so ignore_root
>auth optional /lib/security/pam_afs.so ignore_root use_first_pass
> cell=other.cell refresh_tokens
>auth required pam_unix.so
>
>You'd need the "refresh_tokens" to prevent creation of another PAG. I
>could work on a patch to pam_afs, if there's sufficient interest.
>
It would be very usefull really!
In the implementation it would be better not to modify the pam arguments
but to add another file of the same type as "ThisCell" like "OtherCells"
containing al list of cells,comma separated. If the file does not exist
nothing new is performed. Does it sound reasonable?
Giovanni
Giovanni Bracco
Associazione EURATOM-ENEA sulla Fusione
C.R.E. ENEA Frascati
Via E. Fermi 45
I-00044 Frascati (Roma) Italy
phone 00-39-06-9400-5597
FAX 00-39-06-9400-5735
E-mail bracco@frascati.enea.it
WWW http://fusfis.frascati.enea.it/~bracco