[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

pam authentication (Re: setting up an openafs server on Debian)



Hi,

Thanks for your helpful reply.

On Thu, 24 Jul 2003, Todd Pytel wrote:

> On Thu, 24 Jul 2003 16:06:37 -0400 (EDT)
> Faheem Mitha <faheem@email.unc.edu> wrote:

> > Does a tutorial for AFS server installation on Debian exist anywhere?
> > My impression is no.
>
> There's a decent write-up in the docs for one of the AFS packages - I
> don't remember which one specifically.  Those docs assume that you'll
> be setting AFS with MIT Kerb 5, which is recommended these days, so
> they won't quite apply to your university network.  But in any case, AFS
> isn't something that you'll just pick up in a day, especially if you're
> not familiar with Kerberos already.  If you have the machines to spare,
> I would strongly recommend setting up a private Kerberos realm before
> you get into AFS.

That is a good suggestion. I'll try setting up Kerberos first before doing
anything else.

In any case, there is another, hopefully bite-sized task which has been on
my todo list for awhile. This is, to enable integrated afs token fetching
and login onto my Linux machines. My users don't like typing klog, and
they can't remember it... :-)

I took a look at the Openafs quick start Unix guide and it says the
following.

******************************************************************* Place
the AFS entry below any entries that impose conditions under which you
want the service to fail for a user who does not meet the entry's
requirements. Mark these entries required. Place the AFS entry above any
entries that need to execute only if AFS authentication fails.

Insert the following AFS entry if using the Red Hat distribution:

auth  sufficient  /lib/security/pam_afs.so try_first_pass ignore_root
*********************************************************************

The /etc/pam.d/login file for my test machine (Debian) follows. This is
pretty much the default file; I've hardly modified it at all. I am not
sure where exactly to place this line. I get the general idea but am
afraid that if I put it in the wrong place I will not be able to log in.

It would be extremely nice if someone using openafs Debian would tell me
what line(s) they are using and where they put it.  Then I too could use
it with confidence that it will work. I hope it will not involve
rearranging the entries, though.

I basically want the login to behave as follows (if possible). If it
cannot contact the afs server it should still log me into the local
machine without a long delay (a few seconds should be Ok). Otherwise I
want everything to behave as normal. The fetching token behaviour should
be like klog.

The Debian package I'm using is libpam-openafs-kaserver, which I think it
the correct one. At any rate, it contains the file
/lib/security/pam_afs.so.

Thanks in advance.

                                               Faheem.

*************************************************************************
#
# The PAM configuration file for the Shadow `login' service
#
# NOTE: If you use a session module (such as kerberos or NIS+)
# that retains persistent credentials (like key caches, etc), you
# need to enable the `CLOSE_SESSIONS' option in /etc/login.defs
# in order for login to stay around until after logout to call
# pam_close_session() and cleanup.
#

# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth       required   pam_issue.so issue=/etc/issue

# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
auth       requisite  pam_securetty.so

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth       requisite  pam_nologin.so

# This module parses /etc/environment (the standard for setting
# environ vars) and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# (Replaces the `ENVIRON_FILE' setting from login.defs)
auth       required   pam_env.so

# Standard Un*x authentication. The "nullok" line allows passwordless
# accounts.
auth       required   pam_unix.so nullok

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please uncomment and edit /etc/security/group.conf if you
# wish to use this.
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
# auth       optional   pam_group.so

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account  required       pam_access.so

# Standard Un*x account and session
account    required   pam_unix.so
session    required   pam_unix.so

# Sets up user limits, please uncomment and read /etc/security/limits.conf
# to enable this functionality.
# (Replaces the use of /etc/limits in old login)
# session    required   pam_limits.so

# Prints the last login info upon succesful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session    optional   pam_lastlog.so

# Prints the motd upon succesful login
# (Replaces the `MOTD_FILE' option in login.defs)
session    optional   pam_motd.so

# Prints the status of the user's mailbox upon succesful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). You
# can also enable a MAIL environment variable from here, but it
# is better handled by /etc/login.defs, since userdel also uses
# it to make sure that removing a user, also removes their mail
# spool file.
session    optional   pam_mail.so standard noenv

# The standard Unix authentication modules, used with NIS (man nsswitch) as
# well as normal /etc/passwd and /etc/shadow entries. For the login service,
# this is only used when the password expires and must be changed, so make
# sure this one and the one in /etc/pam.d/passwd are the same. The "nullok"
# option allows users to change an empty password, else empty passwords are
# treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords the same way that
# `MD5_CRYPT_ENAB' would do under login.defs).
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.

password   required   pam_unix.so nullok obscure min=4

# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
# password required       pam_cracklib.so retry=3 minlen=6 difok=3
# password required       pam_unix.so use_authtok nullok md5
***************************************************************************



Reply to: