[OpenAFS] OpenAFS and sudo

Benjamin Kaduk kaduk@MIT.EDU
Tue, 20 Jan 2015 15:46:21 -0500 (EST)


On Tue, 20 Jan 2015, Yvan Masson wrote:

> Hi,
> I'm currently preparing the installation of Debian 8 Jessie (the current
> almost stable) workstations in an OpenAFS environment. Users can log in
> with theirs AFS credentials.
> My problem is that if a user use the "sudo" command, he looses his afs
> token. After that, the user can use "aklog" to get a new token. The
> Kerberos tickets are not destroyed.

I don't use sudo on my debian machines (just su), so I think you may need
to clarify a bit more: is sudo being used to run a single command with
privilege, or to run an interactive shell (as in sudo -i)?  Is only the
terminal where sudo was run affected, or are other terminal windows
affected as well?

> I suppose that I should do someting with PAM, probably
> in /etc/pam.d/sudo, but I don't know exactly what.

Well, it probably depends on whether the default (uid-based) pag is in
use, or a session-specific pag.

I think that with jessie's kernel the pag information is stored in the
keyring, so 'keyctl show' before and after sudo is run may be helpful.

-Ben Kaduk