1. Authentication Scheme

Regarding the exact authentication mechanism on HCoop:

We have Kerberos and LDAP working. Kerberos holds user "principals" (account names + passwords), while LDAP keeps account names plus everything else (such as UIDs, GIDs, home directories, real names, permissions etc.). General policy is: all users have LDAP accounts and a Kerberos principal. Admins have passwd file account and a Kerberos principal. When needed, admins can also create a pure local-files-based account.

The whole authentication work is performed though a series of PAM (Pluggable Authentication Modules) configuration directives. PAM has four "management groups", listed in most-common order of execution: auth, account, session, and password. (The exact order of execution is controlled by the order of lines in /etc/pam.d/* files, with each file corresponding to a particular service).

• Auth is concerned with actual username/password verification in the database.

• Account checks things like password aging etc. If the user has an LDAP account, then the Kerberos account module is invoked which checks for the list of allowed principals in ~/.k5login. Users with no LDAP account are just checked in the local password files. Currently, the pam_krb5 module we use does not check password aging information in Kerberos. Russ Allbery did a new module which will be in Debian Etch.

• Session sets up session details, including limits. pam_krb5 is invoked and only succeeds if the user has a Kerberos principal. (If it has, it initializes the TGT ticket for them automatically). And then, finally, pam_unix_session is called which just logs session creation (and later session termination) to system log files. At that point, users are logged in.