Coda File System

Re: authentication

From: <>
Date: Wed, 02 Jul 2008 08:16:29 -0400
Hi Yves,

On Tue, Jul 01, 2008 at 10:56:59PM -0600, Yves Dorfsman wrote:
> On a small network still using password and shadow files (as opposed to 
> LDAP, Kerberos etc...), is there an easy way to keep the CODA 
> authentication system in sync with the password file ?

Apparently not. :)

There is fundamentally no connection between
Coda authentication and local login authentication.

Remember that Coda is more than your single realm.
Your client computers will eventually access other realms as well
and your realm's files will be possibly (legitimately) accessed via client
computers other than those where you are the super user.

So do not take such synchronisation too serious. What you can do is
to make authentication to Your Coda realm less painful for the people
using Your client computers. Coda differs from NFS a lot, among others:

Coda file service is not coupled to your administration of the client
computers. No kidding.

One useful approach to their cooperation can be:

- use the same "trusted third party" authentication service for both your
  Coda realm and your client computers login (there is reasonable
  support for Kerberos as the underlying service)
  (So you solve keeping passwords in sync - otherwise feel free
  to use any other approach, like a policy that any login password
  change muct be accompanied by a corresponding Coda password change,
  that's all)
- use pam_script module to run clog after pam_krb5, using the newly
  created/updated Kerberos credentials cache file
  (This would apparently not work without Kerberos, but you may instead
  use a hacked pam_exec / pam_script which would pipe the login
  password to clog with the same end result - as long as the login
  password and the home directory Coda realm passwords happen to coincide)

The above, with Kerberos, works fine here. This works even if you
use Kerberos GSSAPI with ssh and allow ssh to forward the tickets.

> If you host the home directories on CODA, how can you make people 
> automatically login to CODA when they login to UNIX ?

As I explained, this works only on specially configured client
computers, while a home directory on Coda is very useful due to its
globality, on _any_ computer with Coda. So your users should be
prepared to do things like

- log in failsafe, run clog <codaaccount>@<codarealm>
- logout and then log in again, normally

Regards and good luck Yves.
Feel free to ask more - and also to contribute by writing the Wiki.
Received on 2008-07-03 11:07:06