[OpenAFS] Asecurtiy hole or a mistake of configuration

Charles Clancy security@xauth.net
Wed, 6 Feb 2002 22:56:51 -0600 (CST)


> When without configure PAM,
> <1>USER1 use klog to login AFS, (tty1)
> <2>switch to another terminal(tty2), login as root , and su USER1, and
> this terminal got a tokens as tty1 without any password

Use 'klog -setpag'.  See Russ's explanation.  In a krb5 environment, use
'aklog -setpag'.

> with PAM configure, it would not be that.

pam_afs.so will do a setpag() for all authentications, except where the
"refresh_tokens" option is specified.  It can't "refresh" the lifetime on
a token (i.e., get a new one) if it creates a new pag, because then the
token would die along with the application calling it (typically used with
xscreensaver).

--
t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy