On Thu, Apr 7, 2011 at 19:00, Russ Allbery <r...@debian.org> wrote: > Erik Dalén <erik.da...@jadestone.se> writes: > >> After running sudo I don't have my AFS token anymore. This can be >> fixed by changing line 4 in >> /usr/share/pam-configs/afs-session to: > >> Auth-Type: Primary > >> and then run pam-auth-update again. > > That sounds wrong given that pam-afs-session is not a primary > authentication mechanism and always returns success to authentication > attempts. I'm concerned that such a change could lead to opening your > system to allow logging in without a password or with any password in some > cases.
To prevent that from being a problem it could be specified as [default=ignore]' instead of 'optional', that way a success from it doesn't contribute in any way even if it is the only auth module. With optional it shouldn't be a problem unless you disable all other modules. > > The additional section should always run. Why didn't it in your case with > sudo? Could you show me a copy of /etc/pam.d/sudo, > /etc/pam.d/common-auth, and /etc/pam.d/common-session from your system > when this is not working properly? > Most of the files are the defaults from debian squeeze with krb5 & afs pam modules enabled. With the addition of the passwordless sudo for members of the wheel group. /etc/pam.d/common-auth: # here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_afs_session.so # end of pam-auth-update config /etc/pam.d/sudo: #%PAM-1.0 @include common-auth @include common-account session required pam_permit.so session required pam_limits.so /etc/pam.d/common-session # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session optional pam_krb5.so minimum_uid=1000 session required pam_unix.so session optional pam_afs_session.so # end of pam-auth-update config And in /etc/sudoers.d I have a file that specifies: %wheel ALL=(ALL) NOPASSWD: ALL and I am a member of group 'wheel'. -- Erik Dalén System Administrator Jadestone -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
