June 2, 2023 12:44 AM, "Timo Aaltonen" <[email protected]> schrieb:
> J. Pfennig kirjoitti 31.5.2023 klo 21.34: > >> Package: libpam-sss >> Version: 2.8.2-4 >> Severity: normal >> File: /lib/x86_64-linux-gnu/security/pam_sss.so >> Dear Maintainer, >> * What led up to the situation? >> using kerberos, AD/DC, sssd and its pam module >> * What exactly did you do (or not do) that was effective (or >> ineffective)? >> kinit ... # to get a kerberos ticket >> echo $KRB5CCNAME # path to creditial cache >> sudo -i user2 >> echo $KRB5CCNAME # ORIGINAL path to creditial cache >> * What was the outcome of this action? >> kinit, klist et al fail, wrong credential cache >> echo $KRB5CCNAME # path from original user >> * What outcome did you expect instead? >> KRB5CCNAME must not be passed >> the case is described better than I can do at: >> https://bugzilla.redhat.com/show_bug.cgi?id=1324486 >> Bug fixed there in 2017. Could Debian fix it too? > > The default value for pam_response_filter should already be > 'ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i', so this issue should not happen since 2.5.1. > > -- t But the still shows up in bookworm. I didn't know that a simple sudo is also affected, making things much worse. For sudo -i we can put a 'unset KRB5CCNAME' into .profile. Here some more details: ############ ENVIRONMENTS ############ login jpf # a samba AD/DC user env # output follows ... SHELL=/bin/bash XDG_SEAT=seat0 PWD=/home/jpf KRB5CCNAME=FILE:/tmp/krb5cc_30010_i1f8Bd LOGNAME=jpf XDG_SESSION_TYPE=tty SYSTEMD_EXEC_PID=5152 MOTD_SHOWN=pam LINES=60 HOME=/home/jpf LANG=de_DE.UTF-8 COLUMNS=192 TMPDIR=/run/user/30010 INVOCATION_ID=0aef719acd824994b41aded975d5743f LESSCLOSE=/usr/bin/lesspipe %s %s XDG_SESSION_CLASS=user TERM=linux LESSOPEN=| /usr/bin/lesspipe %s USER=jpf SHLVL=1 XDG_VTNR=2 XDG_SESSION_ID=5 XDG_RUNTIME_DIR=/run/user/30010 XDG_DATA_DIRS=/home/jpf/.local/share/flatpak/exports/share:/var/lib/flatpak/ exports/share:/usr/local share/:/usr/share/ HUSHLOGIN=FALSE TMP=/run/user/30010 PATH=/shared/python/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/ games GDK_DPI_SCALE_FIREFOX=0.8 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/30010/bus MAIL=/var/mail/jpf sudo -u local env # a local /etc/passwd user # output follows... _=/usr/bin/env KRB5CCNAME=FILE:/tmp/krb5cc_30010_i1f8Bd HOME=/home/jpf LANG=de_DE.UTF-8 TERM=linux PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin MAIL=/var/mail/local LOGNAME=local USER=local SUDO_COMMAND=/usr/bin/env SUDO_USER=jpf SUDO_UID=30010 SUDO_GID=1001 /etc/sudoers ############ Defaults env_reset Defaults env_keep += "DISPLAY HOME GTK_RC_FILES GTK2_RC_FILES GDK_DPI_SCALE KDE_FULL_SESSION" Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/ sbin:/bin" root ALL=(ALL:ALL) NOPASSWD: ALL local ALL=(ALL:ALL) NOPASSWD: ALL %wheel ALL=(ALL:ALL) NOPASSWD: ALL %sudo ALL=(ALL:ALL) NOPASSWD: ALL %centauri ALL=NOPASSWD: /sbin/shutdown %centauri ALL=NOPASSWD: /sbin/reboot %vboxusers ALL=NOPASSWD: /usr/bin/systemctl start virtualbox %vboxusers ALL=(vbox)NOPASSWD: SETENV: /usr/lib/virtualbox/* %vboxusers ALL=NOPASSWD: /usr/bin/mount -l -- /var/centauri/vbox/* %vboxusers ALL=NOPASSWD: /usr/bin/umount -- /var/centauri/vbox/* %vboxusers ALL=(vbox)NOPASSWD: SETENV: /usr/bin/bash * %users ALL=NOPASSWD: /var/centauri/tools/centauridata update %users ALL=NOPASSWD: /var/centauri/tools/centauriusers -q passwd - /etc/sssd/sssd.conf ################### [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 domains = centauri.home [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 offline_credentials_expiration = 365 offline_failed_login_attempts = 32 offline_failed_login_delay = 5 [domain/centauri.home] id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad cache_credentials = true krb5_store_password_if_offline = True fallback_homedir = /home/%u default_shell = /bin/bash ldap_id_mapping = false dyndns_update = false ad_gpo_access_control = permissive ad_maximum_machine_account_password_age = 0
