[32619] in Kerberos
Re: Query regarding ksu.
daemon@ATHENA.MIT.EDU (Use Nas)
Wed Sep 1 14:19:18 2010
MIME-Version: 1.0
In-Reply-To: <87occhxto2.fsf@windlord.stanford.edu>
Date: Wed, 1 Sep 2010 23:49:10 +0530
Message-ID: <AANLkTimCn-kpoS4TRR1atbasaqWPgQc8SGaKe1=9+S=6@mail.gmail.com>
From: Use Nas <usenas@gmail.com>
To: Russ Allbery <rra@stanford.edu>
Cc: krbdev@mit.edu, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Thanks Russ.
However, i still have a doubt regarding the statement mentioned below:
However, there is a believe that the we should be able to ksu to all the any
non-root user ( when logged in as root ) similar to su command. but i think
it is against the design of kerberos , as we always need the password to
decrypt the TGT sent by KDC.
Is the above statement correct ?
Thanks
-S
On Wed, Sep 1, 2010 at 10:55 PM, Russ Allbery <rra@stanford.edu> wrote:
> Use Nas <usenas@gmail.com> writes:
>
> > =======
> > Situation :
> > =======
>
> > Source User: root
> > Target User: non_root_user
>
> > There are no tickets in cache and currently we are logged in as "root"
> user.
> > #ksu non_root_user
>
> > Whats should be the expected behavior of the above command ?
>
> > I believe that if the source user is "root" and target is "non root" &
> > there is no ticket in the cache, then the it should prompt for the
> > password for "non root" user. If there is ticket in the cache, then it
> > doesn't prompt for the password and creates a valid context and ticket.
>
> That sounds right to me, assuming that you mean a ticket for the target
> user (not just any ticket).
>
> > However, there is a believe that the we should be able to ksu to all the
> > any non-root user ( when logged in as root ) similar to su command. but
>
> If one wants su, I think one should just use su. "root" has no special
> meaning for Kerberos, and the above behavior seems more useful to me for
> ksu.
>
> --
> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
