Le jeudi 22 janvier 2015 à 19:34 -0500, Jason Edgecombe a écrit : > On 01/22/2015 12:53 PM, Yvan Masson wrote: > > Thanks for your fast answers. > > > > Le mardi 20 janvier 2015 à 20:37 -0500, Jason Edgecombe a écrit : > >> On 01/20/2015 03:46 PM, Benjamin Kaduk wrote: > >>> Hi, > >>> > >>> On Tue, 20 Jan 2015, Yvan Masson wrote: > >>> > >>>> Hi, > >>>> > >>>> I'm currently preparing the installation of Debian 8 Jessie (the current > >>>> almost stable) workstations in an OpenAFS environment. Users can log in > >>>> with theirs AFS credentials. > >>>> My problem is that if a user use the "sudo" command, he looses his afs > >>>> token. After that, the user can use "aklog" to get a new token. The > >>>> Kerberos tickets are not destroyed. > >>> I don't use sudo on my debian machines (just su), so I think you may need > >>> to clarify a bit more: is sudo being used to run a single command with > >>> privilege, or to run an interactive shell (as in sudo -i)? > > The most important for me would just one command (for example "sudo > > ls"). > >> Is only the > >>> terminal where sudo was run affected, or are other terminal windows > >>> affected as well? > > If I use sudo in gnome-terminal for example, the token is lost for this > > terminal and for all my X session: this is my biggest problem. But if I > > have also a running TTY, the token in my TTY is not destroyed. > >>>> I suppose that I should do someting with PAM, probably > >>>> in /etc/pam.d/sudo, but I don't know exactly what. > >>> Well, it probably depends on whether the default (uid-based) pag is in > >>> use, or a session-specific pag. > >>> > >>> I think that with jessie's kernel the pag information is stored in the > >>> keyring, so 'keyctl show' before and after sudo is run may be helpful. > > Pardon, but I don't know how to use this tool: can I run it from a > > terminal ? I finally understood that I needed the keyutils package... So if run "keyctl show" before and after a sudo command, the results are exactly identical : $ keyctl show Session Keyring 901610366 ---lswrv 0 1000 keyring: _ses.2400 130758458 ----s--v 0 0 \_ afs_pag: _pag > > > >> Here is another data point from my experience on RHEL5 with > >> pam_afs_session. I've noticed the following functionality: > >> > >> command keeps tokens > >> 'sudo -i' no > >> 'sudo -s' yes > >> 'sudo /bin/bash' yes > > For all of these commands, I keep the token while I am root, but it is > > destroyed when I type "exit". > > > It sounds like you have the 'unlog' program somewhere in your logout > script. I think that unlog shuold be handled by your PAM afs module. Sorry but I do not know where "unlog" could be run after a sudo... I check in ~/.bash_logout but it is not here. Could you tell me where I should look for ? Regards, Yvan > Jason
_______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
