su + pam-krb5 + alt_auth_map

kjl kjl at rzg.mpg.de
Wed Oct 2 08:44:23 EDT 2013 

On 10/01/2013 06:57 PM, Russ Allbery wrote:
> kjl<kjl at rzg.mpg.de>  writes:
>
>> when trying to replace "ksu" by "su" and "pam-krb5" I'm facing
>> some difficulties, if I configure "alt_auth_map=%s/root" (see below)
>> to use of the root instance account of the username. According to
>> the pam-krb5 manpage this should be possible.
>> In the Kerberos Log appears
>> "AS-REQ root/root at XXX from XXX ..."
>> instead of the expected "<user>/root" principal.
>> Perhaps someone can point me into the right direction how to solve this
>> issue.
> I guess the first question I'd have is why you want to replace ksu with su
> and pam-krb5.  ksu does all of the principal mapping that you are
> otherwise having to configure, so I would expect it to just work.
>
> The problem that you're having here is that alt_auth_map is a mapping
> based on the target principal, and for su the target principal is root.
> So this doesn't do what you want.  pam-krb5 isn't set up to look at the
> user that you're coming *from*, since that would require su-specific
> knowledge.
>
> That's why the example in the man page uses sudo.  sudo authenticates as
> the user, not as root, before giving root privileges, which means that the
> user from the PAM perspective is set to the current user, and then
> alt_auth_map works properly.
>

Thank you for the detailed explanation.
There was an internal discussion, where it turned out to try this path
(su or sudo + alt_auth_map), because there were doubts whether ksu is
appropriate in a future SELinux and LDAP (via pam) environment.
But it seems, ksu can handle both on newer systems, for example:

openSUSE 12.3 (x86_64)
VERSION = 12.3
CODENAME = Dartmouth
/usr/lib/mit/bin/ksu
krb5-client-1.10.2-10.2.1.x86_64
 > ldd /usr/lib/mit/bin/ksu
         linux-vdso.so.1 (0x00007fffd03ff000)
         libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00007f916defb000)
         libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f916dcf7000)
         libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 
(0x00007f916daed000)
         libpam.so.0 => /lib64/libpam.so.0 (0x00007f916d8df000)
         libc.so.6 => /lib64/libc.so.6 (0x00007f916d532000)
         libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 
(0x00007f916d309000)
         libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f916d105000)
         libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f916ceee000)
         libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f916ccd2000)
         /lib64/ld-linux-x86-64.so.2 (0x00007f916e1cf000)
         libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f916cab2000)
         libdl.so.2 => /lib64/libdl.so.2 (0x00007f916c8ae000)
         libaudit.so.1 => /usr/lib64/libaudit.so.1 (0x00007f916c691000)

You are right, there is no need to replace ksu.

Best wishes,
Karl

More information about the Kerberos mailing list