su + pam-krb5 + alt_auth_map

Russ Allbery rra at stanford.edu
Tue Oct 1 12:57:17 EDT 2013


kjl <kjl at rzg.mpg.de> writes:

> when trying to replace "ksu" by "su" and "pam-krb5" I'm facing
> some difficulties, if I configure "alt_auth_map=%s/root" (see below)
> to use of the root instance account of the username. According to
> the pam-krb5 manpage this should be possible.
> In the Kerberos Log appears
> "AS-REQ root/root at XXX from XXX ..."
> instead of the expected "<user>/root" principal.
> Perhaps someone can point me into the right direction how to solve this 
> issue.

I guess the first question I'd have is why you want to replace ksu with su
and pam-krb5.  ksu does all of the principal mapping that you are
otherwise having to configure, so I would expect it to just work.

The problem that you're having here is that alt_auth_map is a mapping
based on the target principal, and for su the target principal is root.
So this doesn't do what you want.  pam-krb5 isn't set up to look at the
user that you're coming *from*, since that would require su-specific
knowledge.

That's why the example in the man page uses sudo.  sudo authenticates as
the user, not as root, before giving root privileges, which means that the
user from the PAM perspective is set to the current user, and then
alt_auth_map works properly.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list