[31070] in Kerberos
RE: Sudo w/Ticket Support
daemon@ATHENA.MIT.EDU (petesea@bigfoot.com)
Thu May 7 17:15:45 2009
X-Barracuda-Envelope-From: petesea@bigfoot.com
Date: Thu, 07 May 2009 14:15:11 -0700 (PDT)
From: petesea@bigfoot.com
To: miguel.sanders@arcelormittal.com
In-reply-to: <7DF29B50FFF41848BB2281EC2E71A206BA4F66@GEN-MXB-V04.msad.arcelor.net>
Message-id: <alpine.OSX.2.00.0905071405060.40807@nikto-air>
MIME-version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, 7 May 2009, miguel.sanders@arcelormittal.com wrote:
> Afaik that's not available yet (however, you could integrate it yourself).
bummer.
> But if you already obtained a TGT, why bother authenticating again?
Because sudo prompts me. That's what I'm trying to avoid. I'd like sudo
to look at my ticket cache, see that I already have a valid TGT and give
me access without being prompted for a password.
>> But not use just use NOPASSWD.
> Last sentence should have been : "Why not use NOPASSWD?"
Main reason for not setting NOPASSWD is because I don't have control over
the sudoers file on most of the systems I have access to. And the SA's
are very reluctant to use "NOPASSWD".
I believe they just want that extra layer of protection in case a
workstation is left unattended.
I do see what you mean though. From a security standpoint, if sudo was
capable of using an existing TGT, that doesn't seem like it would be too
much different then using NOPASSWD in the sudoers file.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
