[32769] in Kerberos
Re: Using ksu/sudo with Kerberos
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Oct 4 17:38:59 2010
From: Russ Allbery <rra@stanford.edu>
To: "Christopher D. Clausen" <cclausen@acm.org>
In-Reply-To: <08FD8113AE1F4BB4AE81A00E28DCFEE6@CDCHOME> (Christopher
D. Clausen's message of "Mon, 4 Oct 2010 15:47:00 -0500")
Date: Mon, 04 Oct 2010 14:38:54 -0700
Message-ID: <87bp798wpd.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
"Christopher D. Clausen" <cclausen@acm.org> writes:
> Russ Allbery <rra@stanford.edu> wrote:
>> We do this, except we use .k5login with a specific list of principals that
>> should have access to root. I wouldn't use auth_to_local for...
> Note that depending upon your SSH setup, adding user principals to root's
> .k5login (or auth_to_local rules) might allow one to login directly as root
> on the system via SSH. In general, that is exactly what I prefer to do:
> ssh root@machine gets me in as root but logs that cclausen (or
> cclausen/admin) made the connection. Of course it doesn't log every
> individual action, but IIRC neither does ksu.
Same here. I prefer that to ksu since it doesn't expose the password on
the local system.
> I have PermitRootLogin set to without-password in sshd_config so that
> Kerberos is allowed but not password based auth for the root user.
Yup. You may want to also disable public key authentication.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
