[OpenAFS] /etc/pam.d/login
Norman P. B. Joseph
joseph@ctc.com
Mon, 15 Nov 2004 15:34:46 -0500
I found it useful to put the AFS PAM entry into /etc/pam.d/system-auth,
which, in Red Hat's PAM scheme, is included in just about every other
PAM configuration file. (The system-auth PAM file is generated by one
of the Red Hat GUI admin tools, which doesn't know about AFS
authentication, so if you use those you'll have to be careful about
overwriting your changes.)
The only other AFS PAM entry I use in /etc/pam.d is in the xscreensaver
configuration file, because that entry uses slightly different options.
These configurations work for me:
***** /etc/pam.d/system-auth *****
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow nis
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
**********
***** /etc/pam.d/xscreensaver *****
#%PAM-1.0
# Red Hat says this is right for them, as of 7.3:
#auth required pam_stack.so service=system-auth
# imported from system-auth
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_afs.so use_first_pass ignore_root refresh_token debug
auth required /lib/security/$ISA/pam_deny.so
# This is what we were using before:
# auth required pam_pwdb.so shadow nullok
**********
-norm
On Mon, 2004-11-15 at 08:25, Ron Croonenberg wrote:
> Hello,
>
> I am trying to install OpenAFS 1.2.13 from scratch on a linux server (RHEL3).
>
> When I install the client rpm (openafs-client-1.2.13-rhel3.0.1.i386.rpm) part
> of ther messages I see are like :
>
> *****
> Also, you may want to edit /etc/pam.d/login and
> possibly others there to get an AFS token on login.
> Put the line:
>
> auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
>
> before the one for pwdb.
> *****
>
> but ... there's no line in the '/etc/pam.d/login' file that has 'pwdb' in it.
>
> here's what is in my /etc/pam.d/login :
> #%PAM-1.0
> auth required pam_securetty.so
> auth required pam_stack.so service=system-auth
> auth required pam_nologin.so
> account required pam_stack.so service=system-auth
> password required pam_stack.so service=system-auth
> session required pam_stack.so service=system-auth
> session optional pam_console.so
>
>
> should this file be different ?
>
> thanks,
>
> Ron
>
>
>
>
>
> =================================================================
> 1879:
> Thomas Edison gets an idea, and his brother Timmy says,
> "Hey, what's that thing over your head?
> =================================================================
> Ron Croonenberg | Phone: 1 765 658 4761
> Technology Coordinator | Fax: 1 765 658 4732
> |
> Department of ComputerScience | e-mail : ronc@DePauw.edu
> DePauw University |
> Julian Science & Math Center |
> 602 South College Ave. |
> Greencastle, IN 46135 |
> =================================================================
> http://www.depauw.edu/acad/computer/RonCroonenberg.asp
> =================================================================
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--
Norman Joseph, System Engineer joseph@ctc.com IC|XC
Concurrent Technologies Corporation 814/269.2633 --+--
Federal Systems Group/IT & Systems Engineering NI|KA
***** If we don't change the direction we are headed, *****
we will end up where we are going.