[OpenAFS] Automatic AFS authentication on more than 1 cell

Giovanni Bracco bracco@frascati.enea.it
Thu, 28 Feb 2002 10:54:47 +0100

At 2/27/2002 11:21 AM -0600, you wrote:
> > Is it possible to authenticate to both cells at the ssh connection
> > providing the password only once (usernames and passwords are the same
> > on both systems)? Can it be done just by a proper setting of the pam
> > modules for sshd?
>It can be done with PAM quite easily, if such a module existed.  The
>current module does not support specifying an alternate cell name.
>However, it could easily be added.  Then a PAM config something like the
>following would work:
>auth sufficient /lib/security/pam_afs.so ignore_root
>auth optional   /lib/security/pam_afs.so ignore_root use_first_pass
>                 cell=other.cell refresh_tokens
>auth required   pam_unix.so
>You'd need the "refresh_tokens" to prevent creation of another PAG.  I
>could work on a patch to pam_afs, if there's sufficient interest.

It would be very usefull really!

In the implementation it would be better not to modify the pam arguments 
but to add another file of the same type as "ThisCell" like "OtherCells" 
containing al list of cells,comma separated. If the file does not exist 
nothing new is performed. Does it sound reasonable?


Giovanni Bracco
Associazione EURATOM-ENEA sulla Fusione
C.R.E. ENEA Frascati
Via E. Fermi 45
I-00044 Frascati (Roma) Italy
phone 00-39-06-9400-5597
FAX   00-39-06-9400-5735
E-mail  bracco@frascati.enea.it
WWW   http://fusfis.frascati.enea.it/~bracco