pam authentication (was Re: [OpenAFS] some simple openafs questions)

Faheem Mitha faheem@email.unc.edu
Sun, 27 Jul 2003 17:33:26 -0400 (EDT)


On Fri, 25 Jul 2003, Jeffrey Hutzelman wrote:

> OK.  There seems to have been a lot of FUD spread in this thread.  Let me
> try to clear things up just a little...
[snip]

Thanks for taking the trouble to reply in such detail. In the course of
this thread I have realised that I am a little out of my depth in this. I
think perhaps I should start by getting a Kerberos realm working.

In any case, there is another, hopefully bite-sized task which has been on
my todo list for awhile. This is, to enable integrated afs token fetching
and login onto my Linux machines. My users don't like typing klog, and
they can't remember it... :-)

I took a look at the quick start Unix guide and it says the following.

******************************************************************* Place
the AFS entry below any entries that impose conditions under which you
want the service to fail for a user who does not meet the entry's
requirements. Mark these entries required. Place the AFS entry above any
entries that need to execute only if AFS authentication fails.

Insert the following AFS entry if using the Red Hat distribution:

auth  sufficient  /lib/security/pam_afs.so try_first_pass ignore_root
*********************************************************************

The /etc/pam.d/login file for my test machine (Debian) follows. This is
pretty much the default file; I've hardly modified it at all. I am not
sure where exactly to place this line. I get the general idea but am
afraid that if I put it in the wrong place I will not be able to log in.

Everyone in this group has been extremely helpful.  It would be extremely
nice if someone using Debian would tell me what line(s) they are using and
where they put it.  Then I too could use it with confidence that it will
work. I hope it will not involve rearranging the entries, though.

I basically want the login to behave as follows (if possible). If it
cannot contact the afs server it should still log me into the local
machine without a long delay (a few seconds should be Ok). Otherwise I
want everything to behave as normal. The fetching token behaviour should
be like klog.

The Debian package I'm using is libpam-openafs-kaserver, which I think it
the correct one. At any rate, it contains the file
/lib/security/pam_afs.so.

Thanks in advance.

                                               Faheem.

*************************************************************************
#
# The PAM configuration file for the Shadow `login' service
#
# NOTE: If you use a session module (such as kerberos or NIS+)
# that retains persistent credentials (like key caches, etc), you
# need to enable the `CLOSE_SESSIONS' option in /etc/login.defs
# in order for login to stay around until after logout to call
# pam_close_session() and cleanup.
#

# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth       required   pam_issue.so issue=/etc/issue

# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
auth       requisite  pam_securetty.so

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth       requisite  pam_nologin.so

# This module parses /etc/environment (the standard for setting
# environ vars) and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# (Replaces the `ENVIRON_FILE' setting from login.defs)
auth       required   pam_env.so

# Standard Un*x authentication. The "nullok" line allows passwordless
# accounts.
auth       required   pam_unix.so nullok

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please uncomment and edit /etc/security/group.conf if you
# wish to use this.
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
# auth       optional   pam_group.so

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account  required       pam_access.so

# Standard Un*x account and session
account    required   pam_unix.so
session    required   pam_unix.so

# Sets up user limits, please uncomment and read /etc/security/limits.conf
# to enable this functionality.
# (Replaces the use of /etc/limits in old login)
# session    required   pam_limits.so

# Prints the last login info upon succesful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session    optional   pam_lastlog.so

# Prints the motd upon succesful login
# (Replaces the `MOTD_FILE' option in login.defs)
session    optional   pam_motd.so

# Prints the status of the user's mailbox upon succesful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). You
# can also enable a MAIL environment variable from here, but it
# is better handled by /etc/login.defs, since userdel also uses
# it to make sure that removing a user, also removes their mail
# spool file.
session    optional   pam_mail.so standard noenv

# The standard Unix authentication modules, used with NIS (man nsswitch) as
# well as normal /etc/passwd and /etc/shadow entries. For the login service,
# this is only used when the password expires and must be changed, so make
# sure this one and the one in /etc/pam.d/passwd are the same. The "nullok"
# option allows users to change an empty password, else empty passwords are
# treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords the same way that
# `MD5_CRYPT_ENAB' would do under login.defs).
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.

password   required   pam_unix.so nullok obscure min=4

# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
# password required       pam_cracklib.so retry=3 minlen=6 difok=3
# password required       pam_unix.so use_authtok nullok md5
***************************************************************************