[32762] in Kerberos
Using ksu/sudo with Kerberos
daemon@ATHENA.MIT.EDU (Brian Candler)
Mon Oct 4 11:45:13 2010
Date: Mon, 4 Oct 2010 16:45:04 +0100
From: Brian Candler <B.Candler@pobox.com>
To: kerberos@mit.edu
Message-ID: <20101004154504.GA4870@talktalkplc.com>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I am wondering, what are people using instead of sudo in an Kerberized
environment?
So far I can see the following options:
(1) create separate principals for each user who should have root access,
e.g.
candlerb@FOO.EXAMPLE.COM
candlerb/admin@FOO.EXAMPLE.COM
Then map */admin to the root account using auth_to_local, and people
can use ksu to switch.
(I'm not sure I like the idea of burying "/admin" inside a principal's name;
that seems to be mixing authentication and authorization. And that would
apply a single authorization policy across all systems)
(2) Use sudo with NOPASSWD for users who are members of a particular group
(3) Use sudo with pam_krb5, so user has to enter their password again.
Kerberos is then just acting as a password oracle (ick).
Are there any others I should be considering?
Thanks,
Brian.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
