[OpenAFS-devel] Get no token when su-ing with sudo

[Charles Clancy]

> >> root is a local user on the machines, so I'm using the 'ignore_root'
> >> setting in the PAM configuration already. I added now the
> >> 'refresh_tokens' option, but that doesn't change the behavior at all.
> >> I still end up without a token after I typed in the password.
> >
> > Okay -- it looks like a bug (or at least incompatability) with sudo. The
> > sudo PAM client calls "pam_authenticate" on the AFS user authenticating,
> > but then calls "pam_setcred" and "pam_opensession" on the user you're
> > switching to.  PAM (at least the pam_afs module) isn't designed to
> > authenticate as one user, and then open a session for another.
>
> Well that's not really the case: I don't want to run with a "root" token
> later on. (If that is what you mean with "open a session for another")
> The token I want to have in the end, is the one of my (admin) AFS id.

I understood what you wanted.  Perhaps a better expanation of PAM and
pam_afs is in order.

PAM authentication consists of the following steps:

auth: authentication, where the password is checked.  By default, pam_afs
does this by creating a PAG, getting you a 1 second lifetime token, and
then destroying the token.

setcred: set credentials, using the same module settings as auth.  For
pam_afs, this is where your token is actually obtained.  A PAG is also
created if one does not already exist.

session: consists of opensession and closesession, and only "supposed" to
be called if a TTY is being allocated for the user authenticating.

So, for example, an SSH server would call auth, then setcred, then
opensession for an incoming user.  An SCP server would only call auth and
setcred.

The problem is that for user 'foo' logged in, and running sudo commands
for users 'root', sudo's PAM code does the following:

1. calls auth on user 'foo' to check the password
2. calls setcred on user 'root' to create credentials for the new user
3. calls openssession on 'root' to set up the TTY for the new user

With pam_afs, a PAG is created in step 1, and the token is deleted. In
step two, no AFS token is obtained, because there is no password in memory
to go with the username root that could ever get you a token.  Pam_afs
does not implement opensession (simply does a "return PAM_SUCCESS;")

When you run sudo for a second time, after having already authenticated
within the past 10 minutes, NONE of the PAM code is run.  Therefore, you
don't get a new PAG created, and you can use the token you already have,
which is associated with your current PAG.

Hopefully, that clears things up.  If the suggestions for sudo fixes in my
last post still don't make sense, let me know.

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]
     illinois center for cryptography and information protection
       coordinated science laboratory | university of illinois