The discussion of ACLS on home directories in AFS brings up a number of
nagging issues I have always had with the way this is handled.
I would like to propose, that the real solution to the problem is to get
the AFS token before *ANY* access to the home directory in AFS is attempted.
I am not sure if the AFS login does this for local logins, but I doubt Xdm,
CDE or PAM do this, and the Kerberos daemons, have not done this in the past.
Unix login, either remote or local, implicitly assumes that the home
directory will be readable. This leads to the problem when the home
directory is not readable by login, such as with a distributed file system
like AFS. The current remedies have been well covered in many of the
responses to this question, none of which are are very satisfying.
The catch-22 here is that there are some files in the home directory
which are used to determine if the use can login, or options used during login,
such as .k5login, .hushlogin and others.
I would like to see the AFS token obtained as soon as the AFS/Kerberos
principal has been identified, even if this principal has not been determined
to be allowed on the local machine. This token would then be used to gain access
to the home directory in AFS, so the .k5login could be read. Then if the
.k5login does not allow access, the token could be discarded.
Having to read the .k5login before getting the token is not necessary
since it is really only used to determine if the local account can be used.
You can get the token without actually using the local account, setting it
in its own PAG. If the .k5login test fails, discard the token.
Since some systems also check for the existence of the home directory,
this must be done before that test to. (Actually you could do the current check
and if the check fails, then try and get the token, then check again.)
This would allow the AFS home directory to be setup as readable only be
the principal thus improving security.
This will take some work, as ALL the daemons which do authentication
and access the home directory will need to be fixed before one could
tighten the ACLS on the home directories.
Comments?
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
