[33080] in Kerberos
Re: Help: ksu questions
daemon@ATHENA.MIT.EDU (Lee Eric)
Sat Jan 8 09:27:13 2011
MIME-Version: 1.0
In-Reply-To: <8762tzudpj.fsf@windlord.stanford.edu>
Date: Sat, 8 Jan 2011 22:27:06 +0800
Message-ID: <AANLkTi=68x2Z1+RO6ZiVSe+dSthVxonJNxjBLQAf25mT@mail.gmail.com>
From: Lee Eric <openlinuxsource@gmail.com>
To: Russ Allbery <rra@stanford.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Thanks Russ. It's very clear.
Regards,
Eric
On Sat, Jan 8, 2011 at 2:11 PM, Russ Allbery <rra@stanford.edu> wrote:
> Lee Eric <openlinuxsource@gmail.com> writes:
>
>> Thanks Russ, that's very clear. BTW, I think client users shall use
>> ksu under local machine, not remote machines. Because I notice that
>> ksu will prompt me that it's unsafe if I type Kerberos password under
>> insecure connection.
>
> Yeah, ideally in Kerberos you never enter your password into any remote
> system, but always authenticate locally and then use Kerberos to
> authenticate to remote systems. We're moving in that way (by allowing
> root logins only via GSSAPI), but the tradeoff is that you have to allow
> remote direct root logins, which makes some a bit uncomfortable.
>
> --
> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
