[32620] in Kerberos
Re: Query regarding ksu.
daemon@ATHENA.MIT.EDU (Russ Allbery)
Wed Sep 1 14:21:58 2010
From: Russ Allbery <rra@stanford.edu>
To: Use Nas <usenas@gmail.com>
In-Reply-To: <AANLkTimCn-kpoS4TRR1atbasaqWPgQc8SGaKe1=9+S=6@mail.gmail.com>
(Use Nas's message of "Wed, 1 Sep 2010 23:49:10 +0530")
Date: Wed, 01 Sep 2010 11:21:53 -0700
Message-ID: <87vd6pwchq.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: krbdev@mit.edu, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Use Nas <usenas@gmail.com> writes:
> However, there is a believe that the we should be able to ksu to all the
> any non-root user ( when logged in as root ) similar to su command. but
> i think it is against the design of kerberos , as we always need the
> password to decrypt the TGT sent by KDC.
> Is the above statement correct ?
Presumably if you ksu'd without a password or a ticket to another user,
you wouldn't get Kerberos tickets for that user and it would just be
acting like su. Yes, root has no special ability to get tickets for
another user without knowing that user's credentials.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
