[OpenAFS] Problem with PAM
Charles Clancy
security@xauth.net
Tue, 21 Jan 2003 13:56:42 -0600 (CST)
On Tue, 21 Jan 2003 Roberto.Gomezel@ts.infn.it wrote:
> - if a user is registered under NIS, but does not have an AFS account,
> he/she should be able to log in by using his/her NIS password
> - if he/she is registered under both NIS and AFS, he/she should be able to
> log in by using either the NIS or the AFS passwords; preferrably, the
> AFS password should be tried first in order to try getting the AFS
> token;
So you want something like:
sufficient pam_afs.so ignore_root
required pam_unix.so use_first_pass
If you switched pam_unix and pam_afs, then AFS users would be
authenticated by NIS and never get a token.
> # cat /etc/pam.d/sshd
Leave the file for sshd alone.
> # cat /etc/pam.d/system-auth
Try these:
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_afs.so ignore_root
auth sufficient /lib/security/pam_unix.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok nis
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_afs.so