[33078] in Kerberos
Re: Help: ksu questions
daemon@ATHENA.MIT.EDU (Russ Allbery)
Sat Jan 8 01:11:41 2011
From: Russ Allbery <rra@stanford.edu>
To: kerberos@mit.edu
In-Reply-To: <AANLkTin+xwBB4__diD=60948u_kqTCNhmuVt+4n60myz@mail.gmail.com>
(Lee Eric's message of "Sat, 8 Jan 2011 14:09:41 +0800")
Date: Fri, 07 Jan 2011 22:11:36 -0800
Message-ID: <8762tzudpj.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Lee Eric <openlinuxsource@gmail.com> writes:
> Thanks Russ, that's very clear. BTW, I think client users shall use
> ksu under local machine, not remote machines. Because I notice that
> ksu will prompt me that it's unsafe if I type Kerberos password under
> insecure connection.
Yeah, ideally in Kerberos you never enter your password into any remote
system, but always authenticate locally and then use Kerberos to
authenticate to remote systems. We're moving in that way (by allowing
root logins only via GSSAPI), but the tradeoff is that you have to allow
remote direct root logins, which makes some a bit uncomfortable.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
