[32765] in Kerberos
Re: Using ksu/sudo with Kerberos
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Oct 4 16:25:44 2010
From: Russ Allbery <rra@stanford.edu>
To: kerberos@mit.edu
In-Reply-To: <20101004154504.GA4870@talktalkplc.com> (Brian Candler's message
of "Mon, 4 Oct 2010 16:45:04 +0100")
Date: Mon, 04 Oct 2010 13:25:37 -0700
Message-ID: <87r5g5903i.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Brian Candler <B.Candler@pobox.com> writes:
> (1) create separate principals for each user who should have root access,
> e.g.
> candlerb@FOO.EXAMPLE.COM
> candlerb/admin@FOO.EXAMPLE.COM
> Then map */admin to the root account using auth_to_local, and people
> can use ksu to switch.
We do this, except we use .k5login with a specific list of principals that
should have access to root. I wouldn't use auth_to_local for...
> (I'm not sure I like the idea of burying "/admin" inside a principal's name;
> that seems to be mixing authentication and authorization. And that would
> apply a single authorization policy across all systems)
...exactly that reason.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
