Coda File System

Re: Sign-once system on Coda+Kerberos

From: Troy Benjegerdes <hozer_at_hozed.org>
Date: Thu, 30 Sep 2004 17:04:46 -0500
On Wed, Sep 29, 2004 at 04:03:59PM +0200, Ivan Popov wrote:
> Inspired by M.Kondrin's letter.
> 
> May be it will make the sense of the setup design more evident,
> if I try to describe a hypothetical but totally sane setup, based on Coda:
> 
> - clients have pam_aware login, which uses pam_something module
>   to check if a certain user "name" knows her password
> 
> - another pam module tells if a certain user "name"
>   may use the relevant host
> 
>   Note, pam_something can be (Kerberos, NIS, anything) based, but it is always
>   one and only function "name" => YES or NO
>   YES == ("is who she pretends to be" AND "is allowed to use this host")
> 
> if YES:
> - the login program just PICKS UP THE NEXT UNUSED UID (it does not matter
>   which uid, just let it be unused until then and afterwards, with 2^64
>   uids it is more or less infinite)
>   of course it logs which name corresponds to the uid, to be able
>   to identify processes afterwards.
>   it may create a corresponding new /etc/passwd entry, and even reuse it
>   at new logins with the same name.
>   only the numeric uid and user "name" are relevant there,
>   and can be lost without any harm (as long as the uids never are reused)
>   To be clear, uids make sense inside each host,
>   no reason to synchronize between hosts.
> 
> - the login program looks up (may be by some pam_somethingelse) the
>   homedir path corresponding to the user "name"

The login program need know nothing about this.... I believe this could
be accomplished with a "libnss_superdooperldap" library, along with some
extensions to NSCD (name service switch cache daemon).

I'm using libnss_ldap right now, with static mappings of
username->userid, but there's no reason a cache daemon running on the
local machine couldn't be responsible for allocating a local UID, and
local GID's for the groups the user is in.

You *could* do pam_ldap for auth, but I think it would be better in the
long run to use kerberos. The systems I admin at work use libnss_ldap
for anythign that would do 'getpwent' & friends, and use pam_krb5 (and
then pam_openafs_session) to get the user authenticated and access to
the filesystem.
Received on 2004-09-30 18:08:23