[33075] in Kerberos
Re: Help: ksu questions
daemon@ATHENA.MIT.EDU (Lee Eric)
Fri Jan 7 23:13:57 2011
MIME-Version: 1.0
In-Reply-To: <87wrmgfvo6.fsf@windlord.stanford.edu>
Date: Sat, 8 Jan 2011 12:13:50 +0800
Message-ID: <AANLkTik0nOkhC-OL8NoZANPHf0FreQk6ER-Ew=AOdfRt@mail.gmail.com>
From: Lee Eric <openlinuxsource@gmail.com>
To: Russ Allbery <rra@stanford.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Thanks Russ. So it looks like I don't need to leak my root password to
client users, right?
Eric
On Sat, Jan 8, 2011 at 1:52 AM, Russ Allbery <rra@stanford.edu> wrote:
> Lee Eric <openlinuxsource@gmail.com> writes:
>
>> Is there any special advantage to use ksu?
>
> The main reason why we use ksu instead of su is because every person who
> can su to root has their own separate /root principal with a separate
> password and we want them to use those passwords instead. In many cases,
> the set of people who know the actual root password is more limited than
> the people who can ksu (perhaps because the formula for it is shared with
> other systems those people should not be root on, for instance).
>
> You can do this with su and an appropriate PAM configuration, or with sudo
> and an appropriate PAM configuration, but it's fiddly and annoying and
> it's often easier to just use ksu. Plus, you'd probably have to use my
> pam-krb5 module rather than whatever came with your system, since it would
> be extremely difficult to set this up without the aid of the alt_auth_map
> configuration option.
>
> --
> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
