[29682] in Kerberos
Using ksu for authenticated su-- problem
daemon@ATHENA.MIT.EDU (David Konerding)
Mon Apr 14 14:54:52 2008
Message-ID: <4f0f0cb0804141154p19ab9ed4o93d07ecabcf8107e@mail.gmail.com>
Date: Mon, 14 Apr 2008 11:54:01 -0700
From: "David Konerding" <dakoner@gmail.com>
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
We are trying to enable a user to execute a command as another user
when the have
the second user's credentials already.
For example, we'd like to be able to do this:
usera% kinit userb
Password for userb@EXAMPLE.COM:
now that usera has userb's credentials, we want to allow them to run a
command as userb:
userb% ksu userb -e /bin/ls /mnt/private
Now, we've be able to set up .k5login or .k5users to allow limited
versions of this.
We have no problem allowing usera to ksu to userb this way, but we
want to eliminate the
need for the userb to create .k5login or .k5users.
The reasoning is this: the .k5login and .k5users mechanism provides no
additional security for us
because we allow kerberos-based ssh login- if usera already has
userb's credentials
they can ssh to localhost and execute any command. ssh is a bit slower
(0.5 seconds compared to 0.01 seconds)
and we don't want to pay that latency.
Our thinking was to modify ksu to remove the .k5users checking
mechanism. Does anybody know if we
can get this behavior with stock ksu without modifying .k5users?
Thanks,
Dave
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
