[OpenAFS] home on afs woes

Russ Allbery rra@stanford.edu
Wed, 04 Jan 2006 10:21:37 -0800

Juha J=E4ykk=E4 <juolja@utu.fi> writes:

> In my opinion, the problem is pam_krb5.so, which checks the .k5login
> file in pam_sm_authenticate(). Its own documentation says it only checks
> .k5login in pam_sm_acct_mgmt(), but this is incorrect. I am not sure
> this is a bug, though, and therefore haven't reported it. I just thought
> there must be people around who have these three working together and
> they must have a solution which is more general than depending on a
> single pam module. Comments?

.klogin and .k5login files have always had to be world-readable.  Consider
the case with ssh and forwarded credentials.  You have to authenticate the
user before you can accept tickets for them, and in order to authenticate
the user you have to be able to check the .k5login file.  Not checking the
.k5login file at the time of authentication is a bug; you may authenticate
a user who shouldn't be allowed to log in, and there are indeed programs
(xlockmore, for instance) that only call pam_authenticate.

The solution is to create a world-, or at least local-network-, readable
directory in every user's home directory, grant l access to the top level
of their home directory, move .k5login to the readable directory, and
symlink it.  So far as I know, every site that uses AFS with Kerberos has
had to deal with this; Stanford has been doing this for all users for over
a decade.  The l ACLs on the top level of the home directory are rather
unfortunate, but the other ways to work around this are much more complex.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>