PAM and arla

Charles Karney karney at pppl.gov
Wed Jul 21 20:33:30 CEST 1999 

 > From: Tim Yardley <yardley at ncsa.uiuc.edu>
 > To: Tobias Schaefer <T.Schaefer at science-computing.de>
 > cc: Assar Westerlund <assar at sics.se>, arla-drinkers at stacken.kth.se,
 >         kth-krb-bugs at nada.kth.se
 > Subject: Re: PAM and arla
 > Date: Tue, 20 Jul 1999 15:45:24 -0500 (CDT)
 > 
 > On Tue, 20 Jul 1999, Tobias Schaefer wrote:
 > : But I _do_ think that even root's token should be protected by a PAG. If
 > : this is not possible, every daemon on the system works with this token.
 > : This is unnecessary at best.
 > 
 > I don't remember the exact reasoning, but if I recall correctly...
 > Transarc decided that root should not get a pag shell.  This was decided
 > for some security reason, however... I do not recall exactly what it was.

I think this (not automaticlly giving root a PAG) is the RIGHT behavior.
Here's why:

At one time our users started complaining that their AFS tokens were
disappearing and being replaced by the tokens of different users.

The problem turned out to be our using ssh with the Dug Song's
ssh-afs-kerberos patch.  I had logged in as root using ssh.  This had
provided me a PAG (but no AFS tokens).  I had then restarted XDM, which
also inherited the same PAG.  Thereafter, everyone who logged in via XDM
shared the same PAG and so anytime someone did a klog he changed the tokens
for all the XDM users.

Result: confusion and a possibly serious security breach.

Two other things were needed to make this happen: no separate PAG creation
during XDM logins (nowadays we use PAM to do this) and no use of pagsh by
users.

Nevertheless, I think it's very important that, by default, root should NOT
have a PAG.   Otherwise, any system work he does is likely to inherit the
PAG causing all sorts of anomalies.

I requested this feature from Tobias for with Linux AFS PAM module (which
he kindly provided), and I've made a patch to the ssh-afs-kerberos patch to
do the same thing.   I'll provide this if anyone wants.  Basically it does
thinks like

-  if (k_hasafs()) {
+  if (pw->pw_uid != UID_ROOT && k_hasafs()) {
     k_setpag();
     k_unlog();
   }

On the occasions when root needs an AFS token we require our system admins
to do an explicit pagsh.  (And, of course, it's very dangerous if they
neglect to do the pagsh.  For example, the ftp daemon running as UID 0
might share the AFS token.)

-- 
Charles Karney
Plasma Physics Laboratory	  E-mail:  Karney at Princeton.EDU
Princeton University		  Phone:   +1 609 243 2607
Princeton, NJ 08543-0451	  FAX:	   +1 609 243 3438

More information about the Arla-drinkers mailing list