(Andrew File System)
The following is from Transarcs AFS Installation Guide
For each service with which you want to use AFS authentication, insert an entry for the AFS PAM module into the auth section of the service's PAM configuration file. (Linux uses a separate configuration file for each service, unlike some other operating systems which list all services in a single file.) Mark the entry as sufficient in the second field.
Place the AFS entry below any entries that impose conditions under which you want the service to fail for a user who does not meet the entry's requirements. These entries must be marked required. Place the AFS entry above any entries that you want to be executed only if AFS authentication fails.
Insert the following AFS entry if using the Red Hat distribution:
Insert the following AFS entry if using another distribution:
The following example illustrates the recommended configuration of the configuration file for the login service (/etc/pam.d/login) on a machine using the Red Hat distribution.
| #%PAM-1.0 | ||
| auth | required | /lib/security/pam_securetty.so |
| auth | required | /lib/security/pam_nologin.so |
| auth | sufficient | /lib/security/pam_afs.so try_first_pass ignore_root |
| auth | required | /lib/security/pam_pwdb.so shadow nullok |
| account | required | /lib/security/pam_pwdb.so |
| password | required | /lib/security/pam_cracklib.so |
| password | required | /lib/security/pam_pwdb.so shadow nullok use_authtok |
| session | required | /lib/security/pam_pwdb.so |
After extensive tries and experiments I found the following to provide me with what I wanted. I have an account on both AFS and my desktop computer. If I have the same password for both, I am only asked for my password once, and I have permissions on both AFS and my computer. If my passwords are different, then I am asked for both my regular password, and then my AFS password.
| #%PAM-1.0 | ||
| auth | required | /lib/security/pam_securetty.so |
| auth | required | /lib/security/pam_nologin.so |
| auth | required | /lib/security/pam_pwdb.so shadow nullok |
| auth | sufficient | /lib/security/pam_afs.so use_first_pass ignore_root |
| account | required | /lib/security/pam_pwdb.so |
| password | required | /lib/security/pam_cracklib.so |
| password | required | /lib/security/pam_pwdb.so shadow nullok use_authtok |
| session | required | /lib/security/pam_pwdb.so |
| session | optional | /lib/security/pam_console.so |
Something similar should be done with all entries in the /etc/pam.d directory where the person accessing the computer, would want their afs files. (ie: login, slogin, ftp)
How-To
Aug 20, 1999