[sudo-workers] Kerberize sudo - include KRB5CCNAME in PAM environment

Pavel Březina pbrezina at redhat.com
Mon Nov 30 05:22:51 MST 2020

Hi sudo workers,
we have discussed the possibility to include GSSAPI authentication in 
sudo some time ago [1]. In the end, we chose to develop a new PAM module 
inside SSSD to do that - mostly because it does not require any further 
configuration from the administrator as SSSD already knows details of 
user's domain. [2]

Unfortunately, if user is using a non-default ccache (via KRB5CCNAME 
environment variable) the authentication fails [3] because sudo 
apparently clears the environment before executing the PAM stack so the 
variable is not available to the module. This can be workaround by 
including KRB5CCNAME in env_keep, however this will also make it 
available to the executed command which may not be always desirable.

What can we do about it? Can we postpone environment reset after PAM or 
does it have any security meaning I am not aware of? Or can we include 
some pam_env_keep whitelist?


Best regards,

[1] https://www.sudo.ws/pipermail/sudo-workers/2019-November/001260.html
[2] https://github.com/SSSD/sssd/pull/5367
[3] https://github.com/SSSD/sssd/pull/5367#issuecomment-733685105

More information about the sudo-workers mailing list