|Text-only||Table of Contents (frame/ no frame)|
|(5) AFS authentication|
/etc/passwd, so account maintenance is greatly simplified. Once the user has been identified by the AFS system they are then allowed to use the computer and access the files in their home directory.
The main difference between an AFS user and a local user is that the AFS user is not tied or attached to a particular computer but instead has a global identity that allows the user to authenticate to multiple computers.
Computers can also use AFS without integrating the login procedure. In this case
a local login is performed as usual and then the user runs
-setpag to authenticate to AFS.
An important component of the authentication process is the
granting of a token that is associated with the current
process group (or login session).
Tokens can be thought of as temporary identity cards that
can be used to assure that a user's process does indeed have the
correct permissions to access particular files. Tokens are based on Kerberos
and have a finite lifetime (default 25 hours in the Northstar cell).
The lifetime can be adjusted (per user), up to 30 days, but not eliminated
completely. It is a design decision to increase system security.
When a token expires, the user is still logged in and can run programs, but
loses access priviledges (becomes a guest user in effect), so file read/write
actions may fail.
klog command can be used to renew a token at any time. The
token applies to all programs in the same Process Authentication Group (PAG).
With integrated logins, the PAG is a login session. The effect of this is that you may have
multiple programs and shell windows associated with the same token, and refreshing the token
in any one of them affects all the others.
tokens can be used to check the status and expiration times
of your tokens. Only one token can be held at a time for a given cell in a given PAG. This is a
consequence of the kerberos system and if it were not true, there would be ambiguity in
the access control. However, if a user has an account in multiple cells, a separate token
for each cell can be held.
klog -cell thayer.dartmouth.edu
Separate PAGs can be started from a single login session to allow programs to run authenticated as different users, but typically this facility is only needed by administrators.
unlog explicitly discards one or more tokens. It is usually performed automatically
when logging out, for added security.
AFS home directories
The major difference between an AFS home directory and local home
directories is that an AFS home directory is shared between multiple computers.
The user account is detached from the computer, making it much easier to
retire old computers and bring new ones online.
A complicating factor is that the shared home directory may be used for
different operating systems (Linux, Solaris, Irix etc.) and so common configuration files
like .cshrc and .login must be carefully crafted to produce the correct results
on all operating systems in use.
Local (unauthenticated) processes on a computer cannot typically read or write files in a home directory.
This is a problem for certain software such as mail delivery (forwarding, vacation messages, procmail) and
cron jobs. Workarounds are usually possible. For example, if all mail delivery is performed
only by a trusted computer (used for no other purpose), then that computer can be given special access.
Long running jobs
klogto refresh your token before starting a long job
klogcommand to refresh your token. Users who login each day do not need to use the "klog" command as they will receive a new token at each login.
kpasswdcommand is the AFS equivalent of the system
passwdcommand. It may be integrated with
passwdfor users with AFS homes. There are cell-specific options on acceptable passwords, password lifetimes, bad password lockouts etc.
|authentication.src last modified Sep 12, 2005||Introduction||Table of Contents
|© Dartmouth College|