krb5-1.12 is released

Simo Sorce simo at redhat.com
Thu Jan 9 13:25:29 EST 2014


On Thu, 2014-01-09 at 09:04 -0800, Russ Allbery wrote:
> Simo Sorce <simo at redhat.com> writes:
> > On Thu, 2014-01-09 at 08:35 -0800, Russ Allbery wrote:
> 
> >> Debian distinguishes between interactive and noninteractive sessions,
> >> yes.  But I don't believe that resetting the session keyring for an
> >> interactive sudo is appropriate, and the author of the pam_keyinit man
> >> page seems to agree with me.
> 
> > Ok, this is getting a little bit off-topic so fell free to ignore or
> > respond privately. But how does an interactive su/sudo session differ
> > from a ssh session to localhost ?
> > In the second case you do create a new session.
> 
> Because frequently the whole point of a su or sudo session is to run
> commands as a different user with your current credentials.  Think AFS
> tokens, for instance (which use the keyring).
> 
> The excerpt from the pam_keyinit man page is:
> 
>     This module should not, generally, be invoked by programs like su,
>     since it is usually desirable for the key set to percolate through to
>     the alternate context. The keys have their own permissions system to
>     manage this.
> 
> I've had similar requests for pam_afs_session and pam_krb5 in the past to
> honor the existing Kerberos ticket cache when changing users.

It seem to me we are talking about different uses of su/sudo here.

When I read the pam_keyinit manpage I think they refer to the common use
of:
su <command>
or sudo <command>

In those cases you *definitely* do not want a new session.

But for su -l/sudo -i you are getting a whole new shell, and the su/sudo
documentation explicitly state it is intended to emulate a new 'login'
shell. I see as logical that you'd also want a new session in that case
just like you do for login shells.

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York



More information about the Kerberos mailing list