[OpenAFS] running vos from "another" machine

hays@ibiblio.org hays@ibiblio.org
Wed, 24 Aug 2005 18:43:58 -0400

--On Wednesday, August 24, 2005 6:10 PM -0400 "Ron Croonenberg" 
<ronc@depauw.edu> wrote:

> Uhm, ok,  someone else suggested to not do any "pam" stuff..  that way
> afs = users can simply not use the machine.
> I thought that maybe there was some "elegant" way to do what I wanted.

I may be missing something, but if you install the afs client, but don't 
put an afs hook in the pam configuration for the sshd, only users with 
local accounts will be able to login, and that won't open that machine to 
afs users. Pam can use a variety of sources for authentication, and you 
should use it, it's a Good Thing.

You can also set up pam for so that it requires a local login, and also 
logs into the afs cell, but doesn't allow users who just authenticate via 
afs to connect. This is how my workstation is set up--that way only local 
accounts can log in, but anyone who does gets a token to afs when they do 
and doesn't have to klog.

Also, you can use the sshd configuration to specifically limit who can 
login with ssh in any case, or force ssh logins to require a key (instead 
of using a password). So you could allow yourself, but disallow all others 
as an additional precaution.

Hope that helps,


bil hays
Network Manager
Computer Science, UNC CH