URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication
sumit-bose commented: """ > KRB5CCNAME is now respected, if it is set in env_keep in sudoers (or ldap > rules). And I > [asked](https://www.sudo.ws/pipermail/sudo-workers/2020-November/001307.html) > sudo-workers to see if we can make it available to PAM only. I also updated > the manpage. Thanks, it is working fine now. I would suggest to mention `env_keep` details in the `pam_sss_gss` man page since `sudo` is the main use-case here. While testing I came across a behavior which can be a bug or a feature and we should decide how to handle and/or document it. Currently authentication will be successful if you have a TGT in the credential cache which can be used to successfully request a host ticket. This TGT does not have to be associated with the user calling `sudo`. libkrbr5 provides `krb5_aname_to_localname` to translate the Kerberos principal to a local user name, SSSD provides the localauth plugin for this but inside of SSSD we can just do a `CACHE_REQ_USER_BY_UPN` to check if the principal relates to the user trying to authenticate. A related item are ccache types which can handle multiple TGTs. Currently the 'active' TGT is used and if the PAM responder would check if the principal matches the user `pam_sss_gss` should either have a way to select the proper TGT if more than one are available or iterate through the available TGTs (which I guess should be avoided). However, I'm not sure if GSSAPI can do this of if plain libkrb5 calls must be used for this. As an alternative an error message can be shown to the user which can point the user to the `kswitch` utility. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5367#issuecomment-738725029
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
