[OpenAFS] account support in pam_afs.so?

Todd M. Lewis Todd_Lewis@unc.edu
Tue, 10 Jun 2003 11:15:54 -0400 

Karl Bowden wrote:
> 
> I do not want to resort to merging all afs users into each machines
> /etc/passwd file, as that has the potential to get messy real quick, and
> is not a very clean solution in regards to what pam was designed for.
> So is it possible to use pam_afs.so to retrive account information from
> kas or some other place to store the information?

Karl,

I put together a little pam module a couple of years ago (based on code 
originally by Andrew Morgan <morgan@parc.power.net> 1996/3/11) that you 
may want to modify for your purposes. It's specific to our site, but if 
you have a way to tell if a user is legit, it may be useful to you.

To understand how it works, you have to know a little bit about our 
site.  We have this file in AFS that contains what would be the 
/etc/passwd entry for everybody in our cell, plus some comma-delimited 
flags on the end that indicate stuff you don't care about. The point is, 
I can use this information to build an /etc/passwd entry for anybody who 
might be a legitimate user in our cell.

This pam module goes in front of everything else in the stack like so:

     auth  required  /lib/security/pam_propup.so shadow

and it always returns PAM_SUCCESS. The useful part is the side effect it 
has of reading that AFS file and adding an entry in /etc/passwd (and 
updating the shadow file if the "shadow" parm is given) for anybody 
who's trying to log in who is also a valid user according to the AFS 
file.  This way I don't have to set up my users in advance; they get 
/etc/passwd entries automatically when they first try to login to the 
system.

Obviously, you would need to have some out-of-band way of determining if 
the person trying to login should have an /etc/passwd entry created for 
him, what shell he should get, the uid and gid numbers, etc., and that 
determination is going to vary from site to site.  Anyway, it turns out 
to be a pretty simple piece of code to customize if you're up for it. 
Grab it at http://tarna.oit.unc.edu/~utoddl/propup.tar.gz (7kb) if 
you're interested.

Cheers,
-- 
     +-------------------------------------------------------------+
    /Todd_Lewis@unc.edu  919-962-5273  http://www.unc.edu/~utoddl /
   /   A picture is worth a thousand words, or in the case of    /
  /     modern art, the same word repeated a thousand times.    /
+-------------------------------------------------------------+