Coda File System

Re: Sign-once system on Coda+Kerberos

From: M.Kondrin <>
Date: Sat, 02 Oct 2004 10:42:54 -0700
Hello, Troy!

 >>You *could* do pam_ldap for auth, but I think it would be better in the
 >>long run to use kerberos.

I do not intend to use pam_ldap for auth. Hesiod (and nss beneath it) is 
used only for distributing system users' information (i.e. login name, 
uid, gid, shell, home directory) across local network. Authentication is 
done with Kerberos (by means of login.krb5 programm or with xdm - 
assuming we have X's with Kerberos support enabled which is not by 
default). So it seems to me that having Coda to authenticate its users 
through Kerberos is quite natural (we have the same users name in 
Kerberos, Hesiod and Coda, but passwords is stored only in Kerberos).

>>The systems I admin at work use libnss_ldap
>>for anythign that would do 'getpwent' & friends, and use pam_krb5 (and
>>then pam_openafs_session) to get the user authenticated and access to
>>the filesystem.

This is quite right - we have two problems - authorization and authentication. Authentication is done uniformely (through Kerberos by means of pam or straightforwardly with Kerberos-enabled programms), but authorization - it depends on what we really want (system login, access to Coda and so on) and distributing information which the system (programm) needs for the authorization through nss is quite handy (authorization information is not so sensitive as authentication one and IMHO may be sent over unsecure media with ldap, hesiod, nis and all other nss-stuff)

Best regards, Mike
Received on 2004-10-01 10:31:36