[31071] in Kerberos
Re: Sudo w/Ticket Support
daemon@ATHENA.MIT.EDU (Christopher D. Clausen)
Thu May 7 17:38:05 2009
Message-ID: <42710EB12789487A8095FA98CB01F1DE@CDCHOME>
From: "Christopher D. Clausen" <cclausen@acm.org>
To: <petesea@bigfoot.com>
Date: Thu, 7 May 2009 16:35:58 -0500
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
petesea@bigfoot.com wrote:
> Main reason for not setting NOPASSWD is because I don't have control
> over the sudoers file on most of the systems I have access to. And
> the SA's are very reluctant to use "NOPASSWD".
Do you know about the ksu command?
Or using a ~root/.k5login and ssh -o "GssapiAuthentication yes"
root@`hostname` ?
> I believe they just want that extra layer of protection in case a
> workstation is left unattended.
People who leave workstations unattended should not have sudo access.
Also, if unattended and the tickets are still valid, someone can still
use them.
> I do see what you mean though. From a security standpoint, if sudo
> was capable of using an existing TGT, that doesn't seem like it would
> be too much different then using NOPASSWD in the sudoers file.
Yes, exactly. Except it will stop working once the tickets expire, so
there is some trivial level of safety.
<<CDC
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
