HCoop / hcoop / debian / openafs.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Import Upstream version 1.8.5
[hcoop/debian/openafs.git] / doc / xml / QuickStartUnix / appendix.xml
1 <?xml version="1.0" encoding="UTF-8"?>
2 <appendix id="Legacy">
3 <title>Appendix B. Configuring Legacy Components</title>
4
5 <para>This chapter describes how to configure a number of deprecated
6 components in OpenAFS. Whilst these components are not recommended for sites
7 performing new installations, it is recognised that there are a number of
8 installations which have not yet transitioned from using these, for whom
9 continued provision of installation instructions my be useful</para>
10
11 <sect1 id="KAS001">
12 <title>kaserver and Legacy Kerberos 4 Authentication</title>
13
14 <para>This section contains instructions for installing server and client
15 machines in sites which use either the deprecated AFS
16 <emphasis role="bold">kaserver</emphasis> or legacy Kerberos 4
17 authentication systems</para>
18
19 <para>This should be used in conjuction with the installation instructures
20 in earlier chapters, whose format it mirrors.</para>
21
22 <sect2 id="KAS002">
23 <title>Background</title>
24
25 <para>As detailed in the OpenAFS "No more DES" roadmap, OpenAFS is moving
26 away from the single DES based security models of both
27 <emphasis role="bold">kaserver</emphasis> and external Kerberos 4 KDCs,
28 in favour of using external, Kerberos 5 KDCs for authentication.</para>
29
30 <para>AFS version 3 was designed and implemented during the late 80s and
31 early 90s when the state of the art in distributed computer
32 authentication and data security was Kerberos 4 and single DES. The
33 RXKAD security class was specified to use a single DES key and the kauth
34 authentication protocol is a derivative of MIT's Kerberos 4 protocol.
35 </para>
36
37 <para>For the better part of the last decade there has been concern
38 regarding the cryptographic strength of the DES cipher when used as a
39 building block within systems intended to prove authentication and/or
40 data integrity and privacy. Kerberos 4 and RXKAD are not extensible and
41 cannot negotiate non-DES key types. As a result efforts to migrate away
42 from Kerberos 4 based authentication at higher risk organizations have
43 been underway since the mid to late 90s. Ken Hornstein issued the first
44 of his Kerberos 5 migration kits for AFS in May 1999. </para>
45
46 <para>In March 2003, the continued use of single DES and kauth as the
47 basis for OpenAFS security became a real-world threat when a significant
48 Kerberos 4 crossrealm vulnerability was published. The OpenAFS community
49 was notified in security advisory OPENAFS-SA-2003-001 which can be
50 found at http://www.openafs.org/security.</para>
51
52 <para>As a result of the mounting concerns regarding the strength of
53 DES, NIST announced in May 2003 the withdrawal of FIPS 43-3
54 "Data Encryption Standard (DES)" as well as the associated FIPS 74 and
55 FIPS 81. In other words, NIST announced that DES and its derivatives
56 could no longer be used by the United States Government and should no
57 longer by those that trust its lead.</para>
58
59 <para>In July 2003 MIT announced the end of life of the Kerberos 4
60 protocol which is distributed for backward compatibility as part of the
61 MIT Kerberos 5 distribution.</para>
62 </sect2>
63 <sect2 id="KAS003">
64 <title>Using this Appendix</title>
65
66 <para>This appendix should be read in conjunction with the instructions
67 contained in the earlier chapters. It contains additions and in some
68 cases, modifications, to the directions contained in those
69 chapters. It is organised into 3 main sections, corresponding to the
70 topics of the earlier chapters.
71 <orderedlist>
72 <listitem>
73 <para>Installing the First AFS Machine</para>
74 </listitem>
75 <listitem>
76 <para>Installing Additional Server Machines</para>
77 </listitem>
78 <listitem>
79 <para>Installing Additonal Client Machines</para>
80 </listitem>
81 </orderedlist></para>
82
83 <para>There is an additional section on installing AFS login
84 functionality, which is relevant to all machines which are operating as
85 AFS clients</para>
86
87 <para>In addition, some general substitions should be made
88 <itemizedlist>
89 <listitem>
90 <para>References to <emphasis role="bold">kinit</emphasis>and
91 <emphasis role="bold">aklog</emphasis> should be replaced with
92 a single call to <emphasis role="bold">klog</emphasis></para>
93 <para>For example
94 <programlisting>
95 # <emphasis role="bold">kinit admin</emphasis>
96 Password: <replaceable>admin_passwd</replaceable>
97 # <emphasis role="bold">aklog</emphasis>
98 </programlisting>
99 becomes
100 <programlisting>
101 # <emphasis role="bold">klog admin</emphasis>
102 Password: <replaceable>admin_passwd</replaceable>
103 </programlisting></para>
104 </listitem>
105 </itemizedlist></para>
106 </sect2>
107 <sect2 id="KAS003a">
108 <title>Installing the First AFS machine</title>
109
110 <para>This section details changes to the installation procedure for the
111 first AFS machine which are required in order to use
112 <emphasis role="bold">kaserver</emphasis> for authentication. As
113 detailed above, new sites are strongly discouraged from deploying
114 kaserver.</para>
115
116 <para>The structure of this section follows the structure of the
117 earlier chapter.</para>
118
119 <sect3 id="F">
120 <title>Overview: Installing Server Functionality</title>
121
122 <para>In adddition to the items described, you must also create
123 the Authentication Server as a database server process. The procedure
124 for creating the initial security mechanisms is also changed.</para>
125 </sect3>
126
127 <sect3 id="KAS006">
128 <title>Starting the kaserver Database Server Process</title>
129 <indexterm>
130 <primary>Authentication Server</primary>
131 <secondary>starting</secondary>
132 <tertiary>first AFS machine</tertiary>
133 </indexterm>
134 <indexterm>
135 <primary>first AFS machine</primary>
136 <secondary>Authentication Server</secondary>
137 </indexterm>
138 <indexterm>
139 <primary>kaserver process</primary>
140 <see>Authentication Server</see>
141 </indexterm>
142 <indexterm>
143 <primary>starting</primary>
144 <secondary>Authentication Server</secondary>
145 <tertiary>first AFS machine</tertiary>
146 </indexterm>
147
148 <para>In addition to the database server processes described, you
149 must also use the <emphasis role="bold">bos create</emphasis> command
150 to create an entry for the following process, which runs on database
151 server machines only:
152 <itemizedlist>
153 <listitem>
154 <para>The Authentication Server
155 (the <emphasis role="bold">kaserver</emphasis> process) maintains
156 the Authentication Database</para>
157 </listitem>
158 </itemizedlist></para>
159
160 <para>The following instructions include the
161 <emphasis role="bold">-cell</emphasis> argument on all applicable
162 commands. Provide the cell name you assigned in
163 <link linkend="HDRWQ51">Defining Cell Name and Membership for Server
164 Processes</link>. If a command appears on multiple lines, it is
165 only for legibility. The following commands should run before any of
166 the <emphasis role="bold">bos create</emphasis> commands detailed in
167 <link linkend="HDRWQ52">Starting the Database Server Processes</link>.
168 </para>
169
170 <orderedlist>
171 <listitem>
172 <para>
173 <indexterm>
174 <primary>commands</primary>
175 <secondary>bos create</secondary>
176 </indexterm>
177 <indexterm>
178 <primary>bos commands</primary>
179 <secondary>create</secondary>
180 </indexterm>
181 Issue the <emphasis role="bold">bos create</emphasis>
182 command to start the Authentication Server. The current
183 working directory is still
184 <emphasis role="bold">/usr/afs/bin</emphasis>.
185 <programlisting>
186 # <emphasis role="bold">./bos create</emphasis> &lt;<replaceable>machine name</replaceable>&gt; <emphasis role="bold">kaserver simple /usr/afs/bin/kaserver</emphasis> \
187 <emphasis role="bold"> -cell</emphasis> &lt;<replaceable>cell name</replaceable>&gt; <emphasis role="bold">-noauth</emphasis>
188 </programlisting>
189 </para>
190
191 <para>You can safely ignore the messages that tell you to add
192 Kerberos to the <emphasis role="bold">/etc/services</emphasis>
193 file; AFS uses a default value that makes the addition
194 unnecessary. You can also ignore messages about the failure of
195 authentication.</para>
196 </listitem>
197 <listitem>
198 <para>Return to <link linkend="HDRWQ52">Starting the Database Server
199 Processes</link> and follow the remaining instructions</para>
200 </listitem>
201 </orderedlist>
202 </sect3>
203 <sect3 id="KAS007">
204 <title>Initialising Cell Security with kaserver </title>
205
206 <note>
207 <para>The following instructions should be followed in place of
208 those in <link linkend="HDRWQ53">Initializing Cell Security</link>
209 </para>
210 </note>
211
212 <para>Begin by creating the following two initial entries in the
213 Authentication Database:
214 <itemizedlist>
215 <listitem>
216 <para>A generic administrative account, called
217 <emphasis role="bold">admin</emphasis> by convention. If you
218 choose to assign a different name, substitute it throughout the
219 remainder of this document.</para>
220
221 <para>After you complete the installation of the first machine,
222 you can continue to have all administrators use the
223 <emphasis role="bold">admin</emphasis> account, or you can create
224 a separate administrative account for each of them. The latter
225 scheme implies somewhat more overhead, but provides a more
226 informative audit trail for administrative operations.</para>
227 </listitem>
228
229 <listitem>
230 <para>The entry for AFS server processes, called
231 <emphasis role="bold">afs</emphasis>. No user logs in under this
232 identity, but the Authentication Server's Ticket Granting Service
233 (TGS) module uses the associated key to encrypt the server
234 tickets that it grants to AFS clients for presentation to server
235 processes during mutual authentication. (The chapter in the
236 <emphasis>OpenAFS Administration Guide</emphasis> about cell
237 configuration and administration describes the role of server
238 encryption keys in mutual authentication.)</para>
239
240 <para>In Step <link linkend="AppendixLIWQ58">7</link>, you also
241 place the initial AFS server encryption key into the <emphasis
242 role="bold">/usr/afs/etc/KeyFile</emphasis> file. The AFS server
243 processes refer to this file to learn the server
244 encryption key when they need to decrypt server tickets.</para>
245 </listitem>
246 </itemizedlist>
247 </para>
248
249 <para>You also issue several commands that enable the new
250 <emphasis role="bold">admin</emphasis> user to issue privileged
251 commands in all of the AFS suites.</para>
252
253 <para>The following instructions do not configure all of the security
254 mechanisms related to the AFS Backup System. See the chapter in the
255 <emphasis>OpenAFS Administration Guide</emphasis> about configuring
256 the Backup System.
257 <orderedlist>
258 <indexterm>
259 <primary>commands</primary>
260 <secondary>kas (interactive)</secondary>
261 </indexterm>
262
263 <indexterm>
264 <primary>kas commands</primary>
265 <secondary>interactive mode, entering</secondary>
266 </indexterm>
267
268 <indexterm>
269 <primary>interactive mode for kas</primary>
270 <secondary>entering</secondary>
271 </indexterm>
272
273 <listitem>
274 <para>Enter <emphasis role="bold">kas</emphasis> interactive
275 mode. Because the machine is in no-authorization checking
276 mode, include the <emphasis role="bold">-noauth</emphasis> flag
277 to suppress the Authentication Server's usual prompt for a
278 password.
279 <programlisting>
280 # <emphasis role="bold">kas -cell</emphasis> &lt;<replaceable>cell name</replaceable>&gt; <emphasis role="bold">-noauth</emphasis>
281 ka&gt;
282 </programlisting>
283 <indexterm>
284 <primary>commands</primary>
285 <secondary>kas create</secondary>
286 </indexterm>
287 <indexterm>
288 <primary>kas commands</primary>
289 <secondary>create</secondary>
290 </indexterm>
291 <indexterm>
292 <primary>server encryption key</primary>
293 <secondary>in Authentication Database</secondary>
294 </indexterm>
295 <indexterm>
296 <primary>creating</primary>
297 <secondary>server encryption key</secondary>
298 <tertiary>Authentication Database</tertiary>
299 </indexterm>
300 </para>
301 </listitem>
302
303 <listitem id="AppendixLIWQ54">
304 <para>Issue the
305 <emphasis role="bold">kas create</emphasis> command to create
306 Authentication Database entries called
307 <emphasis role="bold">admin</emphasis> and
308 <emphasis role="bold">afs</emphasis>.</para>
309
310 <para>Do not provide passwords on the command line. Instead
311 provide them as <replaceable>afs_passwd</replaceable> and
312 <replaceable>admin_passwd</replaceable> in response to the
313 <emphasis role="bold">kas</emphasis> command interpreter's
314 prompts as shown, so that they do not appear on the standard
315 output stream.</para>
316
317 <para>You need to enter the <replaceable>afs_passwd</replaceable>
318 string only in this step and in Step
319 <link linkend="AppendixLIWQ58">7</link>, so provide a value that
320 is as long and complex as possible, preferably including numerals,
321 punctuation characters, and both uppercase and lowercase letters.
322 Also make the <replaceable>admin_passwd</replaceable> as
323 long and complex as possible, but keep in mind that
324 administrators need to enter it often. Both passwords must be
325 at least six characters long.</para>
326
327 <programlisting>
328 ka&gt; <emphasis role="bold">create afs</emphasis>
329 initial_password: <replaceable>afs_passwd</replaceable>
330 Verifying, please re-enter initial_password: <replaceable>afs_passwd</replaceable>
331 ka&gt; <emphasis role="bold">create admin</emphasis>
332 initial_password: <replaceable>admin_passwd</replaceable>
333 Verifying, please re-enter initial_password: <replaceable>admin_passwd</replaceable>
334 </programlisting>
335
336 <indexterm>
337 <primary>commands</primary>
338 <secondary>kas examine</secondary>
339 </indexterm>
340
341 <indexterm>
342 <primary>kas commands</primary>
343 <secondary>examine</secondary>
344 </indexterm>
345
346 <indexterm>
347 <primary>displaying</primary>
348 <secondary>server encryption key</secondary>
349 <tertiary>Authentication Database</tertiary>
350 </indexterm>
351 </listitem>
352
353 <listitem id="AppendixLIWQ55">
354 <para>Issue the
355 <emphasis role="bold">kas examine</emphasis> command to display
356 the <emphasis role="bold">afs</emphasis> entry. The output
357 includes a checksum generated by encrypting a constant with the
358 server encryption key derived from the
359 <replaceable>afs_passwd</replaceable> string. In
360 Step <link linkend="AppendixLIWQ59">8</link> you issue the
361 <emphasis role="bold">bos listkeys</emphasis> command to verify
362 that the checksum in its output matches the checksum in this
363 output.
364 <programlisting>
365 ka&gt; <emphasis role="bold">examine afs</emphasis>
366 User data for afs
367 key (0) cksum is <replaceable>checksum</replaceable> . . .
368 </programlisting>
369 <indexterm>
370 <primary>commands</primary>
371 <secondary>kas setfields</secondary>
372 </indexterm>
373 <indexterm>
374 <primary>kas commands</primary>
375 <secondary>setfields</secondary>
376 </indexterm>
377 <indexterm>
378 <primary>admin account</primary>
379 <secondary>setting ADMIN flag on Auth. DB entry</secondary>
380 </indexterm>
381 </para>
382 </listitem>
383
384 <listitem id="LIWQ56">
385 <para>Issue the
386 <emphasis role="bold">kas setfields</emphasis> command to turn
387 on the <computeroutput>ADMIN</computeroutput> flag in the
388 <emphasis role="bold">admin</emphasis> entry. This enables the
389 <emphasis role="bold">admin</emphasis> user to issue privileged
390 <emphasis role="bold">kas</emphasis> commands. Then issue
391 the <emphasis role="bold">kas examine</emphasis> command to verify
392 that the <computeroutput>ADMIN</computeroutput> flag
393 appears in parentheses on the first line of the output, as shown
394 in the example.
395 <programlisting>
396 ka&gt; <emphasis role="bold">setfields admin -flags admin</emphasis>
397 ka&gt; <emphasis role="bold">examine admin</emphasis>
398 User data for admin (ADMIN) . . .
399 </programlisting>
400 <indexterm>
401 <primary>commands</primary>
402 <secondary>kas quit</secondary>
403 </indexterm>
404 <indexterm>
405 <primary>kas commands</primary>
406 <secondary>quit</secondary>
407 </indexterm>
408 <indexterm>
409 <primary>interactive mode for kas</primary>
410 <secondary>quitting</secondary>
411 </indexterm>
412 </para>
413 </listitem>
414
415 <listitem>
416 <para>Issue the <emphasis role="bold">kas quit</emphasis>
417 command to leave <emphasis role="bold">kas</emphasis>
418 interactive mode.
419 <programlisting>
420 ka&gt; <emphasis role="bold">quit</emphasis>
421 </programlisting>
422 <indexterm>
423 <primary>commands</primary>
424 <secondary>bos adduser</secondary>
425 </indexterm>
426 <indexterm>
427 <primary>bos commands</primary>
428 <secondary>adduser</secondary>
429 </indexterm>
430 <indexterm>
431 <primary>usr/afs/etc/UserList</primary>
432 <see>UserList file</see>
433 </indexterm>
434 <indexterm>
435 <primary>UserList file</primary>
436 <secondary>first AFS machine</secondary>
437 </indexterm>
438 <indexterm>
439 <primary>files</primary>
440 <secondary>UserList</secondary>
441 </indexterm>
442 <indexterm>
443 <primary>creating</primary>
444 <secondary>UserList file entry</secondary>
445 </indexterm>
446 <indexterm>
447 <primary>admin account</primary>
448 <secondary>adding</secondary>
449 <tertiary>to UserList file</tertiary>
450 </indexterm>
451 </para>
452 </listitem>
453
454 <listitem id="AppendixLIWQ57">
455 <para>Issue the
456 <emphasis role="bold">bos adduser</emphasis> command to add the
457 <emphasis role="bold">admin</emphasis> user to the
458 <emphasis role="bold">/usr/afs/etc/UserList</emphasis> file.
459 This enables the <emphasis role="bold">admin</emphasis> user to
460 issue privileged <emphasis role="bold">bos</emphasis> and
461 <emphasis role="bold">vos</emphasis> commands.
462 <programlisting>
463 # <emphasis role="bold">./bos adduser</emphasis> &lt;<replaceable>machine name</replaceable>&gt; <emphasis role="bold">admin -cell</emphasis> &lt;<replaceable>cell name</replaceable>&gt; <emphasis
464 role="bold">-noauth</emphasis>
465 </programlisting>
466 <indexterm>
467 <primary>commands</primary>
468 <secondary>bos addkey</secondary>
469 </indexterm>
470 <indexterm>
471 <primary>bos commands</primary>
472 <secondary>addkey</secondary>
473 </indexterm>
474 <indexterm>
475 <primary>creating</primary>
476 <secondary>server encryption key</secondary>
477 <tertiary>KeyFile file</tertiary>
478 </indexterm>
479 <indexterm>
480 <primary>server encryption key</primary>
481 <secondary>in KeyFile file</secondary>
482 </indexterm>
483 </para>
484 </listitem>
485
486 <listitem id="AppendixLIWQ58">
487 <para>Issue the
488 <emphasis role="bold">bos addkey</emphasis> command to define
489 the AFS server encryption key in the
490 <emphasis role="bold">/usr/afs/etc/KeyFile</emphasis> file.
491 </para>
492
493 <para>Do not provide the password on the command line. Instead
494 provide it as <replaceable>afs_passwd</replaceable> in
495 response to the <emphasis role="bold">bos</emphasis> command
496 interpreter's prompts, as shown. Provide the same string as
497 in Step <link linkend="AppendixLIWQ54">2</link>.</para>
498
499 <programlisting>
500 # <emphasis role="bold">./bos addkey</emphasis> &lt;<replaceable>machine name</replaceable>&gt; <emphasis role="bold">-kvno 0 -cell</emphasis> &lt;<replaceable>cell name</replaceable>&gt; <emphasis
501 role="bold">-noauth</emphasis>
502 Input key: <replaceable>afs_passwd</replaceable>
503 Retype input key: <replaceable>afs_passwd</replaceable>
504 </programlisting>
505
506 <indexterm>
507 <primary>commands</primary>
508 <secondary>bos listkeys</secondary>
509 </indexterm>
510
511 <indexterm>
512 <primary>bos commands</primary>
513 <secondary>listkeys</secondary>
514 </indexterm>
515
516 <indexterm>
517 <primary>displaying</primary>
518 <secondary>server encryption key</secondary>
519 <tertiary>KeyFile file</tertiary>
520 </indexterm>
521 </listitem>
522
523 <listitem id="AppendixLIWQ59">
524 <para>Issue the
525 <emphasis role="bold">bos listkeys</emphasis> command to verify
526 that the checksum for the new key in the
527 <emphasis role="bold">KeyFile</emphasis> file is the same as the
528 checksum for the key in the Authentication Database's
529 <emphasis role="bold">afs</emphasis> entry, which you displayed
530 in Step <link linkend="AppendixLIWQ55">3</link>.
531 <programlisting>
532 # <emphasis role="bold">./bos listkeys</emphasis> &lt;<replaceable>machine name</replaceable>&gt; <emphasis role="bold">-cell</emphasis> &lt;<replaceable>ce
533 ll name</replaceable>&gt; <emphasis
534 role="bold">-noauth</emphasis>
535 key 0 has cksum <replaceable>checksum</replaceable>
536 </programlisting></para>
537
538 <para>You can safely ignore any error messages indicating that
539 <emphasis role="bold">bos</emphasis> failed to get tickets
540 or that authentication failed.</para>
541
542 <para>If the keys are different, issue the following commands,
543 making sure that the <replaceable>afs_passwd</replaceable>
544 string is the same in each case. The
545 <replaceable>checksum</replaceable> strings reported by the
546 <emphasis role="bold">kas examine</emphasis> and
547 <emphasis role="bold">bos listkeys</emphasis> commands must
548 match; if they do not, repeat these instructions until they do,
549 using the <emphasis role="bold">-kvno</emphasis> argument to
550 increment the key version number each time.</para>
551
552 <programlisting>
553 # <emphasis role="bold">./kas -cell</emphasis> &lt;<replaceable>cell name</replaceable>&gt; <emphasis role="bold">-noauth</emphasis>
554 ka&gt; <emphasis role="bold">setpassword afs -kvno 1</emphasis>
555 new_password: <replaceable>afs_passwd</replaceable>
556 Verifying, please re-enter initial_password: <replaceable>afs_passwd</replaceable>
557 ka&gt; <emphasis role="bold">examine afs</emphasis>
558 User data for afs
559 key (1) cksum is <replaceable>checksum</replaceable> . . .
560 ka&gt; <emphasis role="bold">quit</emphasis>
561 # <emphasis role="bold">./bos addkey</emphasis> &lt;<replaceable>machine name</replaceable>&gt; <emphasis role="bold">-kvno 1 -cell</emphasis> &lt;<replaceable>cell name</replaceable>&gt; <emphasis
562 role="bold">-noauth</emphasis>
563 Input key: <replaceable>afs_passwd</replaceable>
564 Retype input key: <replaceable>afs_passwd</replaceable>
565 # <emphasis role="bold">./bos listkeys</emphasis> &lt;<replaceable>machine name</replaceable>&gt; <emphasis role="bold">-cell</emphasis> &lt;<replaceable>cell name</replaceable>&gt; <emphasis
566 role="bold">-noauth</emphasis>
567 key 1 has cksum <replaceable>checksum</replaceable>
568 </programlisting>
569 </listitem>
570 <listitem>
571 <para>Proceed to
572 <link linkend="HDRWQ53a">Initializing the Protection Database</link>
573 to continue with the installation process</para>
574 </listitem>
575 </orderedlist></para>
576 </sect3>
577 </sect2>
578 <sect2 id="KAS009">
579 <title>Installing Additional Server Machines</title>
580
581 <sect3 id="KAS010">
582 <title>Starting the Authenticxation Service</title>
583 <indexterm>
584 <primary>Authentication Server</primary>
585 <secondary>starting</secondary>
586 <tertiary>new db-server machine</tertiary>
587 </indexterm>
588 <indexterm>
589 <primary>starting</primary>
590 <secondary>Authentication Server</secondary>
591 <tertiary>new db-server machine</tertiary>
592 </indexterm>
593 <para>In addition to the instructions in the main guide, you must
594 also start the Authentication Server on the new database machine,
595 as detailed below</para>
596
597 <orderedlist>
598 <listitem id="LIWQ118">
599 <para>Start the Authentication Server
600 (the <emphasis role="bold">kaserver</emphasis> process).
601 <programlisting>
602 % <emphasis role="bold">bos create</emphasis> &lt;<replaceable>machine name</replaceable>&gt; <emphasis role="bold">kaserver simple /usr/afs/bin/kaserver</emphasis>
603 </programlisting> </para>
604 </listitem>
605
606 <listitem>
607 <para>Return to <link linkend="LIWQ119">starting the backup server</link></para>
608 </listitem>
609 </orderedlist>
610 </sect3>
611 </sect2>
612
613 <sect2 id="KAS011">
614 <title>Enabling AFS login with kaserver</title>
615 <para>The authentication system of every machine should be modified so
616 that users obtain an AFS token as they log into the local file system.
617 Using AFS is simpler and more convenient for your users if you make the
618 modifications on all client machines. Otherwise users must perform a two
619 step login procedure (login to the local system, and then issue the
620 <emphasis role="bold">klog</emphasis> command.</para>
621
622 <para>For convenience, the following sections group this procedure by
623 system type. Proceed to the appropriate section.
624 <itemizedlist>
625 <listitem>
626 <para>
627 <link linkend="KAS015">Enabling AFS Login on Linux Systems</link>
628 </para>
629 </listitem>
630 <listitem>
631 <para>
632 <link linkend="KAS016">Enabling AFS login on Solaris Systems</link>
633 </para>
634 </listitem>
635 </itemizedlist>
636 </para>
637 </sect2>
638 <sect2 id="KAS015">
639 <title>Enabling kaserver based AFS Login on Linux Systems</title>
640
641 <para>At this point you incorporate AFS into the operating system's
642 Pluggable Authentication Module (PAM) scheme. PAM integrates all
643 authentication mechanisms on the machine, including login, to provide
644 the security infrastructure for authenticated access to and from the
645 machine.</para>
646
647 <para>Explaining PAM is beyond the scope of this document. It is
648 assumed that you understand the syntax and meanings of settings in the
649 PAM configuration file (for example, how the
650 <computeroutput>other</computeroutput> entry works, the effect of
651 marking an entry as <computeroutput>required</computeroutput>,
652 <computeroutput>optional</computeroutput>, or
653 <computeroutput>sufficient</computeroutput>, and so on).</para>
654
655 <para>The following instructions explain how to alter the entries in
656 the PAM configuration file for each service for which you
657 wish to use AFS authentication. Other configurations possibly also
658 work, but the instructions specify the recommended and
659 tested configuration.</para>
660
661 <para>The recommended AFS-related entries in the PAM configuration
662 file make use of one or more of the following three
663 attributes.
664 <variablelist>
665 <title>Authentication Management</title>
666
667 <varlistentry>
668 <term><emphasis role="bold"><computeroutput>try_first_pass</computeroutput></emphasis></term>
669
670 <listitem>
671 <para>This is a standard PAM attribute that can be included on
672 entries after the first one for a service; it directs
673 the module to use the password that was provided to the first
674 module. For the AFS module, it means that AFS
675 authentication succeeds if the password provided to the module
676 listed first is the user's correct AFS password. For
677 further discussion of this attribute and its alternatives, see
678 the operating system's PAM documentation.</para>
679 </listitem>
680 </varlistentry>
681
682 <varlistentry>
683 <term><emphasis role="bold"><computeroutput>ignore_root</computeroutput></emphasis></term>
684
685 <listitem>
686 <para>This attribute, specific to the AFS PAM module, directs it
687 to ignore not only the local superuser <emphasis
688 role="bold">root</emphasis>, but also any user with UID
689 0 (zero).</para>
690 </listitem>
691 </varlistentry>
692
693 <varlistentry>
694 <term><emphasis role="bold"><computeroutput>ignore_uid </computeroutput><emphasis>uid</emphasis></emphasis></term>
695
696 <listitem>
697 <para>This option is an extension of the "ignore_root" switch.
698 The additional parameter is a limit. Users with a uid
699 up to the given parameter are ignored by
700 <emphasis>pam_afs.so</emphasis>. Thus, a system administrator
701 still has the
702 opportunity to add local user accounts to his system by choosing
703 between "low" and "high" user ids. An example
704 /etc/passwd file for "ignore_uid 100" may have entries like these:
705 <programlisting>
706 .
707 .
708 afsuserone:x:99:100::/afs/afscell/u/afsuserone:/bin/bash
709 afsusertwo:x:100:100::/afs/afscell/u/afsusertwo:/bin/bash
710 localuserone:x:101:100::/home/localuserone:/bin/bash
711 localusertwo:x:102:100::/home/localusertwo:/bin/bash
712 .
713 .
714 </programlisting>
715 AFS accounts should be locked in the file /etc/shadow like this:
716 <programlisting>
717 .
718 .
719 afsuserone:!!:11500:0:99999:7:::
720 afsusertwo:!!:11500:0:99999:7:::
721 localuserone:&lt;thelocaluserone'skey&gt;:11500:0:99999:7:::
722 localusertwo:&lt;thelocalusertwo'skey&gt;:11500:0:99999:7:::
723 .
724 .
725 </programlisting>
726 There is no need to store a local key in this file since the AFS
727 password is sent and verfied at the AFS cell server!</para>
728 </listitem>
729 </varlistentry>
730
731 <varlistentry>
732 <term><emphasis role="bold"><computeroutput>setenv_password_expires</computeroutput></emphasis></term>
733
734 <listitem>
735 <para>This attribute, specific to the AFS PAM module, sets the
736 environment variable PASSWORD_EXPIRES to the expiration
737 date of the user's AFS password, which is recorded in the
738 Authentication Database.</para>
739 </listitem>
740 </varlistentry>
741
742 <varlistentry>
743 <term><emphasis role="bold"><computeroutput>set_token</computeroutput></emphasis></term>
744
745 <listitem>
746 <para>Some applications don't call
747 <emphasis>pam_setcred()</emphasis> in order to retrieve the
748 appropriate credentials (here the AFS token) for their session.
749 This switch sets the credentials already in
750 <emphasis>pam_sm_authenticate()</emphasis> obsoleting a call to
751 <emphasis>pam_setcred()</emphasis>. <emphasis
752 role="bold">Caution: Don't use this switch for applications which
753 do call <emphasis>pam_setcred()</emphasis>!</emphasis> One
754 example for an application not calling
755 <emphasis>pam_setcred()</emphasis> are older versions of the
756 samba server. Nevertheless, using applications with
757 working pam session management is recommended as this setup
758 conforms better with the PAM definitions.</para>
759 </listitem>
760 </varlistentry>
761
762 <varlistentry>
763 <term><emphasis role="bold"><computeroutput>refresh_token</computeroutput></emphasis></term>
764
765 <listitem>
766 <para>This options is identical to "set_token" except that no
767 new PAG is generated. This is necessary to handle
768 processes like xlock or xscreensaver. It is not enough to just
769 unlock the screen for a user who
770 reactivated his session by typing in the correct AFS password, but
771 one may also need fresh tokens with a full lifetime in
772 order to work on, and the new token must be refreshed in the
773 already existing PAG for the processes that have been
774 started. This is achieved using this option.</para>
775 </listitem>
776 </varlistentry>
777
778 <varlistentry>
779 <term><emphasis role="bold"><computeroutput>use_klog</computeroutput></emphasis></term>
780
781 <listitem>
782 <para>Activating this switch causes authentication to be done by
783 calling the external program "klog". One program requiring
784 this is for example <emphasis>kdm</emphasis> of KDE 2.x.</para>
785 </listitem>
786 </varlistentry>
787
788 <varlistentry>
789 <term><emphasis role="bold"><computeroutput>dont_fork</computeroutput></emphasis></term>
790
791 <listitem>
792 <para>Usually, the password verification and token establishment
793 is performed in a sub process. Using this option pam_afs does not
794 fork and performs all actions in a single process.
795 <emphasis role="bold">Only use this option in cases where you
796 notice serious problems caused by the sub process.</emphasis>
797 This option has been developed in respect to
798 the "mod_auth_pam"-project (see also
799 <ulink url="http://pam.sourceforge.net/mod_auth_pam/">mod_auth_pam</ulink>).
800 The mod_auth_pam module enables PAM authentication for the apache
801 http server package.</para>
802 </listitem>
803 </varlistentry>
804 </variablelist>
805 <variablelist>
806 <title>Session Management</title>
807
808 <varlistentry>
809 <term><emphasis role="bold"><computeroutput>no_unlog</computeroutput></emphasis></term>
810
811 <listitem>
812 <para>Normally the tokens are deleted (in memory) after the
813 session ends. Using this option causes the tokens to be left
814 untouched. <emphasis role="bold">This behaviour was the default
815 in pam_afs until openafs-1.1.1!</emphasis></para>
816 </listitem>
817 </varlistentry>
818
819 <varlistentry>
820 <term><emphasis role="bold"><computeroutput>remainlifetime</computeroutput> <emphasis>sec</emphasis></emphasis></term>
821
822 <listitem>
823 <para>The tokens are kept active for <emphasis>sec</emphasis>
824 seconds before they are deleted. X display managers i.e.
825 are used to inform the applications started in the X session
826 before the logout and then end themselves. If the token
827 was deleted immediately the applications would have no chance
828 to write back their settings to i.e. the user's AFS home
829 space. This option may help to avoid the problem.</para>
830 </listitem>
831 </varlistentry>
832 </variablelist></para>
833
834 <para>Perform the following steps to enable AFS login.
835 <orderedlist>
836 <listitem>
837 <para>Unpack the OpenAFS Binary Distribution for Linux into the
838 <emphasis role="bold">/tmp/afsdist/</emphasis> directory, if it is
839 not already.
840 Then change to the directory for PAM modules, which depends on which Linux distribution you are using.</para>
841
842 <para>If you are using a Linux distribution from Red Hat Software:</para>
843
844 <programlisting>
845 # <emphasis role="bold">cd /lib/security</emphasis>
846 </programlisting>
847
848 <para>If you are using another Linux distribution:</para>
849
850 <programlisting>
851 # <emphasis role="bold">cd /usr/lib/security</emphasis>
852 </programlisting>
853 </listitem>
854
855 <listitem>
856 <para>Copy the appropriate AFS authentication library file to the
857 directory to which you changed in the previous step.
858 Create a symbolic link whose name does not mention the version.
859 Omitting the version eliminates the need to edit the PAM
860 configuration file if you later update the library file.</para>
861
862 <para>If you use the AFS Authentication Server
863 (<emphasis role="bold">kaserver</emphasis> process):</para>
864 <programlisting>
865 # <emphasis role="bold">cp /cdrom/i386_linux22/lib/pam_afs.so.1 .</emphasis>
866 # <emphasis role="bold">ln -s pam_afs.so.1 pam_afs.so</emphasis>
867 </programlisting>
868
869 <para>If you use a Kerberos implementation of AFS
870 authentication:</para>
871 <programlisting>
872 # <emphasis role="bold">cp /cdrom/i386_linux22/lib/pam_afs.krb.so.1 .</emphasis>
873 # <emphasis role="bold">ln -s pam_afs.krb.so.1 pam_afs.so</emphasis>
874 </programlisting>
875 </listitem>
876
877 <listitem>
878 <para>For each service with which you want to use AFS
879 authentication, insert an entry for the AFS PAM module into the
880 <computeroutput>auth</computeroutput> section of the service's
881 PAM configuration file. (Linux uses a separate
882 configuration file for each service, unlike some other operating
883 systems which list all services in a single file.) Mark
884 the entry as <computeroutput>sufficient</computeroutput> in the
885 second field.</para>
886
887 <para>Place the AFS entry below any entries that impose conditions
888 under which you want the service to fail for a user
889 who does not meet the entry's requirements. Mark these entries
890 <computeroutput>required</computeroutput>. Place the AFS
891 entry above any entries that need to execute only if AFS
892 authentication fails.</para>
893
894 <para>Insert the following AFS entry if using the Red Hat
895 distribution:</para>
896 <programlisting>
897 auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
898 </programlisting>
899
900 <para>Insert the following AFS entry if using another
901 distribution:</para>
902
903 <programlisting>
904 auth sufficient /usr/lib/security/pam_afs.so try_first_pass ignore_root
905 </programlisting>
906
907 <para>Check the PAM config files also for "session" entries. If
908 there are lines beginning with "session" then please
909 insert this line too:</para>
910
911 <programlisting>
912 session optional /lib/security/pam_afs.so
913 </programlisting>
914
915 <para>or</para>
916
917 <programlisting>
918 session optional /usr/lib/security/pam_afs.so
919 </programlisting>
920
921 <para>This guarantees that the user's tokens are deleted from
922 memory after his session ends so that no other user
923 coincidently gets those tokens without authorization! The
924 following examples illustrate the recommended configuration of
925 the configuration file for several services:
926 <variablelist>
927 <title>Authentication Management</title>
928
929 <varlistentry>
930 <term>(<emphasis role="bold">/etc/pam.d/login</emphasis>)</term>
931
932 <listitem>
933 <para>
934 <programlisting>
935 #%PAM-1.0
936 auth required /lib/security/pam_securetty.so
937 auth required /lib/security/pam_nologin.so
938 auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
939 # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
940 #This enables AFS authentication for every user but root
941 auth required /lib/security/pam_pwdb.so shadow nullok
942 account required /lib/security/pam_pwdb.so
943 password required /lib/security/pam_cracklib.so
944 password required /lib/security/pam_pwdb.so shadow nullok use_authtok
945 session optional /lib/security/pam_afs.so
946 #Make sure tokens are deleted after the user logs out
947 session required /lib/security/pam_pwdb.so
948 </programlisting>
949 </para>
950 </listitem>
951 </varlistentry>
952
953 <varlistentry>
954 <term>(<emphasis role="bold">/etc/pam.d/samba</emphasis>)</term>
955
956 <listitem>
957 <para>
958 <programlisting>
959 auth required /lib/security/pam_afs.so ignore_uid 100 set_token
960 # ^^^^^^^^^^^^^^^^^^^^^^^^
961 #Here, users with uid&gt;100 are considered to belong to the AFS and users
962 #with uid&lt;=100 are ignored by pam_afs. The token is retrieved already in
963 #pam_sm_authenticate() (this is an example pam config for a samba version
964 #that does not call pam_setcred(), it also does no sense to include session
965 #entries here since they would be ignored by this version of samba ).
966 account required /lib/security/pam_pwdb.so
967 </programlisting>
968 </para>
969 </listitem>
970 </varlistentry>
971
972 <varlistentry>
973 <term>(<emphasis role="bold">/etc/pam.d/xscreensaver</emphasis>)</term>
974
975 <listitem>
976 <para>
977 <programlisting>
978 auth sufficient /lib/security/pam_afs.so ignore_uid 100 refresh_token
979 # ^^^^^^^^^^^^^
980 #Avoid generating a new PAG for the new tokens, use the already existing PAG and
981 #establish a fresh token in it.
982 auth required /lib/security/pam_pwdb.so try_first_pass
983 </programlisting>
984 </para>
985 </listitem>
986 </varlistentry>
987
988 <varlistentry>
989 <term>(<emphasis role="bold">/etc/pam.d/httpd</emphasis>)</term>
990
991 <listitem>
992 <para>
993 <programlisting>
994 auth required /lib/security/pam_afs.so ignore_uid 100 dont_fork
995 # ^^^^^^^^^
996 #Don't fork for the verification of the password.
997 </programlisting>
998 </para>
999 </listitem>
1000 </varlistentry>
1001 </variablelist>
1002 <variablelist>
1003 <title>Session Management</title>
1004
1005 <varlistentry>
1006 <term>(<emphasis role="bold">/etc/pam.d/su</emphasis>)</term>
1007
1008 <listitem>
1009 <para>
1010 <programlisting>
1011 auth sufficient /lib/security/pam_afs.so ignore_uid 100
1012 auth required /lib/security/pam_pwdb.so try_first_pass
1013 account required /lib/security/pam_pwdb.so
1014 password required /lib/security/pam_cracklib.so
1015 password required /lib/security/pam_pwdb.so use_authtok
1016 session required /lib/security/pam_pwdb.so
1017 session optional /lib/security/pam_afs.so no_unlog
1018 # ^^^^^^^^
1019 #Don't delete the token in this case, since the user may still
1020 #need it (for example if somebody logs in and changes to root
1021 #afterwards he may still want to access his home space in AFS).
1022 session required /lib/security/pam_login_access.so
1023 session optional /lib/security/pam_xauth.so
1024 </programlisting>
1025 </para>
1026 </listitem>
1027 </varlistentry>
1028
1029 <varlistentry>
1030 <term>(<emphasis role="bold">/etc/pam.d/xdm</emphasis>)</term>
1031
1032 <listitem>
1033 <para>
1034 <programlisting>
1035 auth required /lib/security/pam_nologin.so
1036 auth required /lib/security/pam_login_access.so
1037 auth sufficient /lib/security/pam_afs.so ignore_uid 100 use_klog
1038 auth required /lib/security/pam_pwdb.so try_first_pass
1039 account required /lib/security/pam_pwdb.so
1040 password required /lib/security/pam_cracklib.so
1041 password required /lib/security/pam_pwdb.so shadow nullok use_authtok
1042 session optional /lib/security/pam_afs.so remainlifetime 10
1043 # ^^^^^^^^^^^^^^^^^
1044 #Wait 10 seconds before deleting the AFS tokens in order to give
1045 #the programs of the X session some time to save their settings
1046 #to AFS.
1047 session required /lib/security/pam_pwdb.so
1048 </programlisting>
1049 </para>
1050 </listitem>
1051 </varlistentry>
1052 </variablelist></para>
1053 </listitem>
1054 <listitem>
1055 <para>After taking any necessary action, proceed to
1056 <link linkend="HDRWQ50">Starting the BOS Server</link> if you
1057 are installing your first file server;
1058 <link linkend="HDRWQ108">Starting Server Programs</link> if you
1059 are installing an additional file server machine; or
1060 <link linkend="HDRWQ145">Loading and Creating Client Files</link> if you are installing a client.
1061 </para>
1062 </listitem>
1063 </orderedlist>
1064 </para>
1065 </sect2>
1066 <sect2 id="KAS016">
1067 <title>Enabling kaserver based AFS Login on Solaris Systems</title>
1068
1069 <para>At this point you incorporate AFS into the operating system's
1070 Pluggable Authentication Module (PAM) scheme. PAM
1071 integrates all authentication mechanisms on the machine, including
1072 login, to provide the security infrastructure for
1073 authenticated access to and from the machine.</para>
1074
1075 <para>Explaining PAM is beyond the scope of this document. It is
1076 assumed that you understand the syntax and meanings of
1077 settings in the PAM configuration file (for example, how the
1078 <computeroutput>other</computeroutput> entry works, the effect of
1079 marking an entry as <computeroutput>required</computeroutput>,
1080 <computeroutput>optional</computeroutput>, or
1081 <computeroutput>sufficient</computeroutput>, and so on).</para>
1082
1083 <para>The following instructions explain how to alter the entries in the
1084 PAM configuration file for each service for which you
1085 wish to use AFS authentication. Other configurations possibly also
1086 work, but the instructions specify the recommended and
1087 tested configuration.</para>
1088
1089 <note>
1090 <para>The instructions specify that you mark each entry as
1091 <computeroutput>optional</computeroutput>. However, marking some
1092 modules as optional can mean that they grant access to the
1093 corresponding service even when the user does not meet all of the
1094 module's requirements. In some operating system revisions,
1095 for example, if you mark as optional the module that controls
1096 login via a dial-up connection, it allows users to login without
1097 providing a password. See the <emphasis>OpenAFS Release
1098 Notes</emphasis> for a discussion of any limitations that apply to
1099 this operating system.</para>
1100
1101 <para>Also, with some operating system versions you must install
1102 patches for PAM to interact correctly with certain
1103 authentication programs. For details, see the
1104 <emphasis>OpenAFS Release Notes</emphasis>.</para>
1105 </note>
1106
1107 <para>The recommended AFS-related entries in the PAM configuration file
1108 make use of one or more of the following three
1109 attributes.
1110 <variablelist>
1111 <title>Authentication Management</title>
1112
1113 <varlistentry>
1114 <term><emphasis role="bold"><computeroutput>try_first_pass</computeroutput></emphasis></term>
1115
1116 <listitem>
1117 <para>This is a standard PAM attribute that can be included on
1118 entries after the first one for a service; it directs
1119 the module to use the password that was provided to the first
1120 module. For the AFS module, it means that AFS
1121 authentication succeeds if the password provided to the module
1122 listed first is the user's correct AFS password. For
1123 further discussion of this attribute and its alternatives, see
1124 the operating system's PAM documentation.</para>
1125 </listitem>
1126 </varlistentry>
1127
1128 <varlistentry>
1129 <term><emphasis role="bold"><computeroutput>ignore_root</computeroutput></emphasis></term>
1130
1131 <listitem>
1132 <para>This attribute, specific to the AFS PAM module, directs it
1133 to ignore not only the local superuser <emphasis
1134 role="bold">root</emphasis>, but also any user with UID 0
1135 (zero).</para>
1136 </listitem>
1137 </varlistentry>
1138
1139 <varlistentry>
1140 <term><emphasis role="bold"><computeroutput>setenv_password_expires</computeroutput></emphasis></term>
1141
1142 <listitem>
1143 <para>This attribute, specific to the AFS PAM module, sets the
1144 environment variable PASSWORD_EXPIRES to the expiration
1145 date of the user's AFS password, which is recorded in the
1146 Authentication Database.</para>
1147 </listitem>
1148 </varlistentry>
1149 </variablelist></para>
1150
1151 <para>Perform the following steps to enable AFS login. <orderedlist>
1152 <listitem>
1153 <para>Unpack the OpenAFS Binary Distribution for Solaris into the
1154 <emphasis role="bold">/cdrom</emphasis> directory, if it is not
1155 already.
1156 Then change directory as indicated.
1157 <programlisting>
1158 # <emphasis role="bold">cd /usr/lib/security</emphasis>
1159 </programlisting></para>
1160 </listitem>
1161
1162 <listitem>
1163 <para>Copy the AFS authentication library file to the
1164 <emphasis role="bold">/usr/lib/security</emphasis> directory. Then
1165 create a symbolic link to it whose name does not mention the
1166 version. Omitting the version eliminates the need to edit
1167 the PAM configuration file if you later update the library
1168 file.</para>
1169
1170 <para>If you use the AFS Authentication Server
1171 (<emphasis role="bold">kaserver</emphasis> process):</para>
1172
1173 <programlisting>
1174 # <emphasis role="bold">cp /tmp/afsdist/sun4x_56/dest/lib/pam_afs.so.1 .</emphasis>
1175 # <emphasis role="bold">ln -s pam_afs.so.1 pam_afs.so</emphasis>
1176 </programlisting>
1177
1178 <para>If you use a Kerberos implementation of AFS authentication:</para>
1179
1180 <programlisting>
1181 # <emphasis role="bold">cp /tmp/afsdist/sun4x_56/dest/lib/pam_afs.krb.so.1 .</emphasis>
1182 # <emphasis role="bold">ln -s pam_afs.krb.so.1 pam_afs.so</emphasis>
1183 </programlisting>
1184 </listitem>
1185
1186 <listitem>
1187 <para>Edit the
1188 <computeroutput>Authentication management</computeroutput> section
1189 of the Solaris PAM configuration file,
1190 <emphasis role="bold">/etc/pam.conf</emphasis> by convention.
1191 The entries in this section have the value
1192 <computeroutput>auth</computeroutput> in their second field.</para>
1193
1194 <para>First edit the standard entries, which refer to the
1195 Solaris PAM module (usually, the file <emphasis
1196 role="bold">/usr/lib/security/pam_unix.so.1</emphasis>) in their
1197 fourth field. For each service for which you want to
1198 use AFS authentication, edit the third field of its entry to read
1199 <computeroutput>optional</computeroutput>. The
1200 <emphasis role="bold">pam.conf</emphasis> file in the Solaris
1201 distribution usually includes standard entries for the
1202 <emphasis role="bold">login</emphasis>,
1203 <emphasis role="bold">rlogin</emphasis>, and <emphasis
1204 role="bold">rsh</emphasis> services, for instance.</para>
1205
1206 <para>If there are services for which you want to use AFS
1207 authentication, but for which the <emphasis
1208 role="bold">pam.conf</emphasis> file does not already include a
1209 standard entry, you must create that entry and place the
1210 value <computeroutput>optional</computeroutput> in its third field.
1211 For instance, the Solaris
1212 <emphasis role="bold">pam.conf</emphasis> file does not usually
1213 include standard entries for the
1214 <emphasis role="bold">ftp</emphasis> or
1215 <emphasis role="bold">telnet</emphasis> services.</para>
1216
1217 <para>Then create an AFS-related entry for each service, placing it
1218 immediately below the standard entry. The following
1219 example shows what the
1220 <computeroutput>Authentication Management</computeroutput>
1221 section looks like after you have you edited or created entries
1222 for the services mentioned previously. Note that the example AFS
1223 entries appear on two lines
1224 only for legibility.</para>
1225
1226 <programlisting>
1227 login auth optional /usr/lib/security/pam_unix.so.1
1228 login auth optional /usr/lib/security/pam_afs.so \
1229 try_first_pass ignore_root setenv_password_expires
1230 rlogin auth optional /usr/lib/security/pam_unix.so.1
1231 rlogin auth optional /usr/lib/security/pam_afs.so \
1232 try_first_pass ignore_root setenv_password_expires
1233 rsh auth optional /usr/lib/security/pam_unix.so.1
1234 rsh auth optional /usr/lib/security/pam_afs.so \
1235 try_first_pass ignore_root
1236 ftp auth optional /usr/lib/security/pam_unix.so.1
1237 ftp auth optional /usr/lib/security/pam_afs.so \
1238 try_first_pass ignore_root
1239 telnet auth optional /usr/lib/security/pam_unix.so.1
1240 telnet auth optional /usr/lib/security/pam_afs.so \
1241 try_first_pass ignore_root setenv_password_expires
1242 </programlisting>
1243 </listitem>
1244
1245 <listitem>
1246 <para>If you use the Common Desktop Environment (CDE) on the
1247 machine and want users to obtain an AFS token as they log
1248 in, also add or edit the following four entries in the
1249 <computeroutput>Authentication management</computeroutput>
1250 section. Note that the AFS-related entries appear on two lines
1251 here only for legibility.
1252 <programlisting>
1253 dtlogin auth optional /usr/lib/security/pam_unix.so.1
1254 dtlogin auth optional /usr/lib/security/pam_afs.so \
1255 try_first_pass ignore_root
1256 dtsession auth optional /usr/lib/security/pam_unix.so.1
1257 dtsession auth optional /usr/lib/security/pam_afs.so \
1258 try_first_pass ignore_root
1259 </programlisting>
1260 </para>
1261 </listitem>
1262 <listitem>
1263 <para>Proceed to
1264 <link linkend="HDRWQ49a">Editing the File Systems Clean-up Script
1265 on Solaris Systems in the server instructions </link> if you are
1266 installing your first file server;
1267 <link linkend="HDRWQ108">Starting Server Programs</link> if you
1268 are installing an additional file server machine; or
1269 <link linkend="Header_137a">Editing the File Systems Clean-up Script
1270 on Solaris Systems in the client instructions</link> if you are
1271 installing a client.</para>
1272 </listitem>
1273 </orderedlist>
1274 </para>
1275 </sect2>
1276 </sect1>
1277 </appendix>
openafs packaging