From 32229ab5957001ca87b6036ffefc710e358ea811 Mon Sep 17 00:00:00 2001 From: Benjamin Kaduk Date: Thu, 24 Dec 2015 19:46:29 -0600 Subject: [PATCH] Remove recommendation to use NoAuth from NoAuth.5 Do not document that there are cases when this file should exist; there are not. Installation no longer needs this file, and key emergencies can be handled using asetkey or, on 1.8.x, the kerberos tooling to modify rxkad.keytab. Change-Id: I0c3ba15f3ffca8660be2d8b092f10053258742e6 Reviewed-on: https://gerrit.openafs.org/12142 Reviewed-by: Benjamin Kaduk Reviewed-by: Michael Meffie Tested-by: Benjamin Kaduk --- doc/man-pages/pod5/NoAuth.pod | 25 +++++++------------------ 1 file changed, 7 insertions(+), 18 deletions(-) diff --git a/doc/man-pages/pod5/NoAuth.pod b/doc/man-pages/pod5/NoAuth.pod index de2b988fb8..ad3e06a3b9 100644 --- a/doc/man-pages/pod5/NoAuth.pod +++ b/doc/man-pages/pod5/NoAuth.pod @@ -11,25 +11,14 @@ any action for any user who logs into the machine's local file system or issues a remote command that affects the machine's AFS server functioning, such as commands from the AFS command suites. Because failure to check authorization exposes the machine's AFS server functionality to attack, -there are normally only two circumstances in which the file is present: +this file should never be created. It was once necessary to use +NoAuth when initializing a new cell, but B<-localauth> and other +tooling means that new cells can be running securely from the start. +As such, this file is just a historical vestige. -=over 4 - -=item * - -During installation of the machine, as instructed in the I. - -=item * - -During correction of a server encryption key emergency, as discussed in -the I. - -=back - -In all other circumstances, the absence of the file means that the AFS -server processes perform authorization checking, verifying that the issuer -of a command has the required privilege. +The absence of the file means that the AFS server processes perform +authorization checking, verifying that the issuer of a command has the +required privilege. Create the file in one of the following ways: