[OpenAFS] User-files

Charles Clancy security@xauth.net
Tue, 25 Jun 2002 08:27:48 -0500 (CDT)

> > Second, when I log in to the console I got questioned for two passwords
> > now. What, If I want to log in by xdm/kdm/gdm? I read, that I could put it
> > in any Service, but can the mentioned programs manage this?
> Sounds like your Unix and AFS passwords are different.  The xlogin
> code should deal with this, but I don't know for sure.

Any application that *properly* supports PAM will prompt you for the
second password.  For example, CDE's dtlogin will ask for a second
password, but some of the older SSH's will not.

It sounds like you have pam_unix set as "required" followed by pam_afs set
as either "optional" or "required".  Some solutions:

1. Set your passwords the same, and then add "use_first_pass" to pam_afs's
configuration line; you will always only be prompted once, and the same
password will be applied to both modules.  To log in, both modules must
succeed.  If you add "try_first_pass" instead, it will first try to use
your UNIX password for AFS authentiation.  If it fails, it will prompt you
for your AFS password.  Without either of those options, you will always
be prompted for your password twice.

2. Move pam_afs first on the list, and change it from optional/required to
"sufficient".  Then if pam_afs succeeds, pam_unix will not be consulted.

NOTE: on most Linux systems these days, you'll probably see "pam_stack
service=system-auth" rather than "pam_unix".  They are equivalent.

[  t charles clancy  ]-[  tclancy@uiuc.edu  ]-[  uiuc.edu/~tclancy  ]