[sudo-workers] Kerberize sudo - include KRB5CCNAME in PAM environment
Pavel Březina
pbrezina at redhat.com
Mon Nov 30 05:22:51 MST 2020
Hi sudo workers,
we have discussed the possibility to include GSSAPI authentication in
sudo some time ago [1]. In the end, we chose to develop a new PAM module
inside SSSD to do that - mostly because it does not require any further
configuration from the administrator as SSSD already knows details of
user's domain. [2]
Unfortunately, if user is using a non-default ccache (via KRB5CCNAME
environment variable) the authentication fails [3] because sudo
apparently clears the environment before executing the PAM stack so the
variable is not available to the module. This can be workaround by
including KRB5CCNAME in env_keep, however this will also make it
available to the executed command which may not be always desirable.
What can we do about it? Can we postpone environment reset after PAM or
does it have any security meaning I am not aware of? Or can we include
some pam_env_keep whitelist?
Thanks.
Best regards,
Pavel.
[1] https://www.sudo.ws/pipermail/sudo-workers/2019-November/001260.html
[2] https://github.com/SSSD/sssd/pull/5367
[3] https://github.com/SSSD/sssd/pull/5367#issuecomment-733685105
More information about the sudo-workers
mailing list